Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-93

Some ONAP services allows to impersonate any user without authentication (CVE-2019-12131)

CloneClone templateClone+Clone++
    XMLWordPrintable

Details

    • CVE-2019-12131
    • OJSI-APPC
    • Some ONAP services allows to impersonate any user without authentication

    Description

      Some ONAP service allows to impersonate any user by just setting USER_ID
      header in the request without any authentication.

       

      Impact description (draft)

      Title: Some ONAP services allows to impersonate any user without authentication

      Reporter: Łukasz Wrochna from Samsung

      Products: APPC, SDC

      Affects: Dublin and earlier

      Description:

      Łukasz Wrochna from Samsung reported a vulnerability in APPC (appc-cdt) and SDC (sdc-wfd-fe). By setting a USER_ID parameter in HTTP header an attacker may impersonate arbitrary existing user without any authentication. All APPC and SDC setups are affected.

      Attachments

        # Subject Branch Project Status CR V

        Activity

          People

            kopasiak Krzysztof Opasiak
            l.wrochna Łukasz Wrochna
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: