SQL Injection Vulnerability in OpenDaylight AAA Component
CVE-2022-45932

7.5HIGH

Key Information:

Vendor: Linux
Status: Opendaylight
Vendor: CVE Published:; 27 November 2022

Summary

A SQL injection vulnerability exists in the OpenDaylight AAA component that allows an attacker to craft malicious API requests targeting the /auth/v1/roles/ endpoint. Specifically, the issue lies within the deleteRole function located in the RoleStore class, which fails to properly sanitize input parameters, enabling the manipulation of database queries. This flaw could potentially lead to unauthorized access or modification of user roles, posing significant risks to the integrity of access controls within the OpenDaylight framework.

References

https://jira.opendaylight.org/browse/AAA-239

https://git.opendaylight.org/gerrit/c/aaa/+/103241

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 27, 2022
Vulnerability Reserved
Nov 27, 2022