OSA-2019-008: ONAP Portal allows to retrieve password of currently active user

Date: 2019-05-28

CVE: CVE-2019-12122

Severity: Important

Affects

Portal: Dublin and earlier

Description

Krzysztof Opasiak from Samsung reported a vulnerability in Portal. By executing a call to ONAPPORTAL/portalApi/loggedinUser an attacker who posses user’s cookie may retrieve user’s password from the database. All Portal setups are affected.

Patches

88682

Credits

Krzysztof Opasiak from Samsung

References

Read the Docs v: kohn

Versions: latest; kohn; jakarta

Downloads: html

On Read the Docs: Project Home; Builds