Vulnerability Name:

CVE-2017-1000406

Assigned:2017-11-30
Published:2017-11-23
Updated:2017-11-30
Summary:OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).
CVSS v3 Severity:7.5 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:
References:Source: MLIST
Type: UNKNOWN
[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)

Source: XF
Type: UNKNOWN
opendaylight-cve20171000406-weak-security(135764)

Source: CONFIRM
Type: UNKNOWN
https://git.opendaylight.org/gerrit/#/q/topic:AAA-151

Source: CONFIRM
Type: UNKNOWN
https://jira.opendaylight.org/browse/AAA-151

BACK