OSA-2019-017: Some ONAP services allows to impersonate any user without authentication

Date: 2019-05-28

CVE: CVE-2019-12131

Severity: Important

Affects

  • APPC: Dublin and earlier

  • SDC: Dublin and earlier

Description

Łukasz Wrochna from Samsung reported a vulnerability in APPC (appc-cdt) and SDC (sdc-wfd-fe). By setting a USER_ID parameter in HTTP header an attacker may impersonate arbitrary existing user without any authentication. All APPC and SDC setups are affected.

Patches

No patch for this vulnerability has been proposed yet.

Credits

  • Łukasz Wrochna from Samsung

References