OSA-2019-017: Some ONAP services allows to impersonate any user without authentication
Date: 2019-05-28
CVE: CVE-2019-12131
Severity: Important
Affects
APPC: Dublin and earlier
SDC: Dublin and earlier
Description
Łukasz Wrochna from Samsung reported a vulnerability in APPC (appc-cdt) and SDC (sdc-wfd-fe). By setting a USER_ID parameter in HTTP header an attacker may impersonate arbitrary existing user without any authentication. All APPC and SDC setups are affected.
Patches
No patch for this vulnerability has been proposed yet.
Credits
Łukasz Wrochna from Samsung