Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

http://gms.cl0udz.com/Openconfig_xxe.pdf

https://gerrit.onosproject.org/#/c/18894/

Related Vulnerabilities

CVE-2020-21125 Vulnerability in maven package com.bstek.ureport:ureport2-console

CVE-2020-16022 Vulnerability in npm package electron

CVE-2016-2510 Vulnerability in maven package org.apache-extras.beanshell:bsh

CVE-2010-0684 Vulnerability in maven package org.apache.activemq:activemq-web

CVE-2021-21298 Vulnerability in npm package @node-red/runtime

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking