SQL Injection Vulnerability in OpenDaylight's AAA Component
CVE-2022-45931

7.5HIGH

Key Information:

Vendor: Linux
Status: Opendaylight
Vendor: CVE Published:; 27 November 2022

What is CVE-2022-45931?

A SQL injection vulnerability exists in the AAA component of OpenDaylight, specifically in the deleteUser function of the UserStore class. When interacting with the API endpoint /auth/v1/users/, an attacker could manipulate input parameters to execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database. This issue affects versions of OpenDaylight AAA prior to 0.16.5 and necessitates prompt action to mitigate risks.

References

https://jira.opendaylight.org/browse/AAA-241

https://git.opendaylight.org/gerrit/c/aaa/+/103243

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2022
Vulnerability Reserved
Nov 27, 2022

Linux

What is CVE-2022-45931?

References

CVSS V3.1

Timeline