-
Notifications
You must be signed in to change notification settings - Fork 0
/
CRSA-2015-0003.yaml
40 lines (32 loc) · 1.35 KB
/
CRSA-2015-0003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
title: 'OpenDaylight authentication bypass'
description: 'It was found that the custom authentication realm used by the karaf-tomcat "opendaylight" realm would authenticate any username and password combination. The custom realm is work-in-progress code that is not yet suitable for production use. A remote attacker could use this flaw to access interfaces secured using the opendaylight realm, such as the northbound neutron API. The opendaylight realm has been updated to use UserDatabaseRealm, which reads credentials from the tomcat-users.xml file.'
references:
- https://wiki.opendaylight.org/view/Security_Advisories#.5BImportant.5D_CVE-2015-1778_OpenDaylight:_authentication_bypass
affected-products:
- product: CloudRouter
version:
- id: 1.0-beta
component: opendaylight-helium
issues:
- 33
patches:
- https://git.opendaylight.org/gerrit/#/c/16307/
vulnerabilities:
- cve-id: CVE-2015-1778
cloudrouter-security-issue: 3
impact-assessment:
source: 'IIX Product Security'
rating: important
assessment:
type: CVSS2
score: 6.4
detail: AV:N/AC:L/Au:N/C:P/I:P/A:N
classification:
source: 'IIX Product Security'
type: CWE
detail: TODO
reporters:
- name: 'Flavio Fernandes'
affiliation: 'Red Hat'
reported:
- CVE-2015-1778