Description
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
Remediation
References
http://gms.cl0udz.com/ONOS_Vul.pdf
https://gerrit.onosproject.org/#/c/18779/
Related Vulnerabilities
CVE-2021-41109 Vulnerability in npm package parse-server
CVE-2023-49371 Vulnerability in maven package com.ruoyi:ruoyi
CVE-2021-4264 Vulnerability in maven package org.webjars.npm:dustjs-linkedin
CVE-2019-20503 Vulnerability in maven package org.webjars.npm:electron
CVE-2017-16008 Vulnerability in maven package org.webjars:i18next