A vulnerability, which was classified as critical, has been found in OpenDaylight up to 0.16.4. This issue affects the function deleteRole of the file aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used.

The weakness was disclosed 11/27/2022. It is possible to read the advisory at git.opendaylight.org. The identification of this vulnerability is CVE-2022-45932 since 11/27/2022. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK.

Upgrading to version 0.16.5 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.opendaylight.org. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Name

• OpenDaylight

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion