CVE-2018-1999020

MEDIUM

ONOS < 1.13.2 - Path Traversal and Arbitrary File Deletion via Crafted Zip Upload

Title source: llm
STIX 2.1

Description

Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier version contains a Directory Traversal vulnerability in core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java line 35 that can result in arbitrary file deletion (overwrite). This attack appear to be exploitable via a specially crafted zip file should be uploaded.

References (2)

Core 2
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://gms.cl0udz.com/ONOS_app_overwrite.pdf
Patch, Vendor Advisory x_refsource_confirm
https://gerrit.onosproject.org/#/c/19043/

Scores

CVSS v3 5.5
EPSS 0.0128
EPSS Percentile 66.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
opennetworking/onos < 1.13.2
Published Jul 23, 2018
Tracked Since Feb 18, 2026