CVE-2018-1000614
CRITICALONOS < 1.13.1 - Unauthenticated XML External Entity Injection in NetconfAlarmTranslator
Title source: llmDescription
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://gerrit.onosproject.org/#/c/18779/
Exploit, Third Party Advisory x_refsource_misc
http://gms.cl0udz.com/ONOS_Vul.pdf
Scores
CVSS v3
9.8
EPSS
0.0157
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (1)
onosproject/onos
< 1.13.1
Published
Jul 09, 2018
Tracked Since
Feb 18, 2026