Description
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.
Remediation
References
http://gms.cl0udz.com/Openconfig_xxe.pdf
https://gerrit.onosproject.org/#/c/18894/
Related Vulnerabilities
CVE-2022-39386 Vulnerability in npm package fastify-websocket
CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-javalite
CVE-2018-3718 Vulnerability in npm package serve
CVE-2021-43570 Vulnerability in maven package com.starkbank.ellipticcurve:starkbank-ecdsa
CVE-2022-30506 Vulnerability in maven package net.mingsoft:ms-mcms