Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

http://gms.cl0udz.com/Openconfig_xxe.pdf

https://gerrit.onosproject.org/#/c/18894/

Related Vulnerabilities

CVE-2022-36076 Vulnerability in npm package nodebb

CVE-2023-26104 Vulnerability in npm package lite-web-server

CVE-2022-39259 Vulnerability in maven package io.github.skylot:jadx-plugins-api

CVE-2022-25881 Vulnerability in npm package http-cache-semantics

CVE-2023-31544 Vulnerability in maven package org.opencms:opencms-core

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking