Details
-
Epic
-
Status: Confirmed
-
Medium
-
Resolution: Unresolved
-
Casablanca Maintenance Release, Dublin Release, Casablanca
-
CVE-2019-12131
-
OJSI-APPC
-
Some ONAP services allows to impersonate any user without authentication
Description
Some ONAP service allows to impersonate any user by just setting USER_ID
header in the request without any authentication.
Impact description (draft)
Title: Some ONAP services allows to impersonate any user without authentication
Reporter: Łukasz Wrochna from Samsung
Products: APPC, SDC
Affects: Dublin and earlier
Description:
Łukasz Wrochna from Samsung reported a vulnerability in APPC (appc-cdt) and SDC (sdc-wfd-fe). By setting a USER_ID parameter in HTTP header an attacker may impersonate arbitrary existing user without any authentication. All APPC and SDC setups are affected.
Attachments
| # | Subject | Branch | Project | Status | CR | V |
|---|---|---|---|---|---|---|
| 88643,3 | Issue OSA for OJSI-93 | master | osa | Status: MERGED | +2 | +1 |