SQL Injection Vulnerability in OpenDaylight's AAA Component
CVE-2022-45931

7.5HIGH

Key Information:

Vendor
Linux
Status
Opendaylight
Vendor
CVE Published:
27 November 2022

Summary

A SQL injection vulnerability exists in the AAA component of OpenDaylight, specifically in the deleteUser function of the UserStore class. When interacting with the API endpoint /auth/v1/users/, an attacker could manipulate input parameters to execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database. This issue affects versions of OpenDaylight AAA prior to 0.16.5 and necessitates prompt action to mitigate risks.

References

https://jira.opendaylight.org/browse/AAA-241
https://git.opendaylight.org/gerrit/c/aaa/+/103243

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.