BID:104238

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

CVE-2018-1132 |

Info

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

Bugtraq ID:	104238
Class:	Input Validation Error
CVE:	CVE-2018-1132
Remote:	Yes
Local:	No
Published:	May 19 2018 12:00AM
Updated:	May 19 2018 12:00AM
Credit:	Feng Xiao and Jianwei Huang of Wuhan University.
Vulnerable:	Opendaylight OpenDaylight Controller 0 Opendaylight Opendaylight 0

Not Vulnerable:

Discussion

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

OpenDaylight Controller is prone to a sql-injection vulnerability.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Exploit / POC

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

An attacker can exploit this issue using a web browser.

Solution / Fix

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

References

OpenDaylight Controller 'SdniDataBase.java' SQL Injection Vulnerability

References:

Bug 1576947 - (CVE-2018-1132) CVE-2018-1132 Opendaylight: SDNInterfaceapp SQL In (Red Hat Bugzilla)
CVE-2018-1132 (Red Hat Bugzilla)
OpenDaylight Home Page (OpenDaylight)
SQL injection in the component database(SQLite) without authenticating to the co (OpenDaylight)