Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-34

Multiple SQL Injection issues in SDNC

CloneClone+Clone++
    XMLWordPrintable

Details

    • CVE-2019-12319
    • Hide

      Title: SQL Injections in SDNC

      Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung

      Products: SDNC

      Affects: Casablanca and earlier

      Description:

      Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a number of vulnerabilities in ONAP SDNC. By providing a crafted user input, an attacker (also unauthenticated) gains access to the service database. All ONAP setups are affected.

      Note:

      Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.

       

      Show
      Title: SQL Injections in SDNC Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung Products: SDNC Affects: Casablanca and earlier Description: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a number of vulnerabilities in ONAP SDNC. By providing a crafted user input, an attacker (also unauthenticated) gains access to the service database. All ONAP setups are affected. Note: Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.  
    • OJSI-SDNC
    • SDNC El Alto Sprint 1

    Description

       

      Send script source code:

      #! /bin/bash
# ./send arg1 arg2 ...

base='http://IP:30201';
user='a@a';
pass='pass';

sid="$(
    http -v -f "$base/formLogin" email="$user" password="$pass" 2> /dev/null |\
    grep connect.sid | sed -E 's/^[^=]*=([^;]*);.*$/\1/'
)";

[ -z "$sid" ] && echo Where is sid? && exit 1;

time http -v "$@" Cookie:"connect.sid=$sid";

       

      Attachments

        1.
        		 SQL Injection issue in SDNC - signup form Sub-task New Alfred Rotundo
        2.
        		 SQL Injection issue in SDNC - deleteUser form Sub-task New Alfred Rotundo
        3.
        		 SQL Injection issue in SDNC - admin/deleteParameter form Sub-task New Alfred Rotundo
        4.
        		 SQL Injection issue in SDNC - mobility/loadVnfData form Sub-task New Alfred Rotundo
        5.
        		 SQL Injection issue in SDNC - addUser form Sub-task New Alfred Rotundo
        6.
        		 SQL Injection issue in SDNC - updateUser form Sub-task New Alfred Rotundo
        7.
        		 SQL Injection issue in SDNC - formLogin form Sub-task New Alfred Rotundo
        8.
        		 SQL Injection issue in SDNC - sla/activate form Sub-task New Alfred Rotundo
        9.
        		 SQL Injection issue in SDNC - sla/deactivate form Sub-task New Alfred Rotundo
        10.
        		 SQL Injection issue in SDNC - sla/activate form module param Sub-task New Alfred Rotundo
        11.
        		 SQL Injection issue in SDNC - sla/deleteDG form Sub-task New Alfred Rotundo
        12.
        		 SQL Injection issue in SDNC - gamma/getNbVlanPool form Sub-task New Alfred Rotundo
        13.
        		 SQL Injection issue in SDNC - gamma/addNetworkProfile form Sub-task New Unassigned
        14.
        		 SQL Injection issue in SDNC - gamma/deleteNetworkProfile form Sub-task New Alfred Rotundo
        15.
        		 SQL Injection issue in SDNC - gamma/updateNetworkProfile form Sub-task New Alfred Rotundo
        16.
        		 SQL Injection issue in SDNC - gamma/updateNbVlanPool form Sub-task New Alfred Rotundo
        17.
        		 SQL Injection issue in SDNC - mobility/deleteVnfNetworkData form Sub-task New Alfred Rotundo
        18.
        		 SQL Injection issue in SDNC - mobility/deleteVnfData form Sub-task New Alfred Rotundo
        19.
        		 SQL Injection issue in SDNC - mobility/deleteVmProfile form Sub-task New Alfred Rotundo
        20.
        		 SQL Injection issue in SDNC - mobility/deleteVnfProfile form Sub-task New Alfred Rotundo
        21.
        		 SQL Injection issue in SDNC - mobility/deleteVmNetwork form Sub-task New Alfred Rotundo
        22.
        		 SQL Injection issue in SDNC - mobility/addVnfNetwork form Sub-task New Alfred Rotundo
        # Subject Branch Project Status CR V
        88623,3 Issue OSA for OJSI-34 master osa Status: MERGED +2 +1
        89453,1 Document OJSI-34 vulnerability master sdnc/oam Status: MERGED +2 +1

        Activity

          People

            arotundo Alfred Rotundo
            Jakub.Botwicz Jakub Botwicz
            . . . .
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: