Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

http://gms.cl0udz.com/Openconfig_xxe.pdf

https://gerrit.onosproject.org/#/c/18894/

Related Vulnerabilities

CVE-2020-28434 Vulnerability in npm package gitblame

CVE-2020-8141 Vulnerability in maven package org.webjars.npm:dot

CVE-2019-10783 Vulnerability in npm package lsof

CVE-2022-21802 Vulnerability in maven package org.webjars.npm:grapesjs

CVE-2022-31367 Vulnerability in npm package strapi-plugin-content-type-builder

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking