A vulnerability classified as critical has been found in OpenDaylight up to 0.16.4. This affects the function deleteDomain of the file aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java of the component AAA. The manipulation with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java deleteDomain function is affected for the /auth/v1/domains/ API interface.

The weakness was published 11/27/2022. The advisory is shared at git.opendaylight.org. This vulnerability is uniquely identified as CVE-2022-45930 since 11/27/2022. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 0.16.5 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.opendaylight.org. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Name

• OpenDaylight

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion