Lucene search

Redhat.comRH:CVE-2022-45931

HistoryNov 29, 2022 - 9:56 p.m.

CVE-2022-45931

2022-11-2921:56:08

redhat.com

access.redhat.com

opendaylight

sql injection

arbitrary sql statements

aaa package

api interface

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

A SQL injection issue was discovered in the AAA package of OpenDaylight. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java deleteUser function is affected when the API interface /auth/v1/users/ is used. This may allow a malicious user to execute arbitrary sql statements against the database.

References

bugzilla.redhat.com/show_bug.cgi?id=2149431

git.opendaylight.org/gerrit/c/aaa/+/103243

jira.opendaylight.org/browse/AAA-241

nvd.nist.gov/vuln/detail/CVE-2022-45931

www.cve.org/CVERecord?id=CVE-2022-45931

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for RH:CVE-2022-45931