OSA-2019-017: Some ONAP services allows to impersonate any user without authentication

Date: 2019-05-28

CVE: CVE-2019-12131

Severity: Important

Affects

APPC: Dublin and earlier
SDC: Dublin and earlier

Description

Łukasz Wrochna from Samsung reported a vulnerability in APPC (appc-cdt) and SDC (sdc-wfd-fe). By setting a USER_ID parameter in HTTP header an attacker may impersonate arbitrary existing user without any authentication. All APPC and SDC setups are affected.

Patches

No patch for this vulnerability has been proposed yet.

Credits

Łukasz Wrochna from Samsung

References

Read the Docs v: latest

Versions: latest; montreal; london; kohn; jakarta

Downloads

On Read the Docs: Project Home; Builds