CVE-2017-1000406 - OpenCVE

OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Opendaylight	Karaf

Configuration 1 [-]

cpe:2.3:a:opendaylight:karaf:0.6.1-carbon:*:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/oss-sec/2017/q4/320	Mailing List Third Party Advisory
https://git.opendaylight.org/gerrit/#/q/topic:AAA-151	Vendor Advisory
https://jira.opendaylight.org/browse/AAA-151	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:23:10

Updated: 2022-10-03T16:23:10

Reserved: 2022-10-03T00:00:00

Link: CVE-2017-1000406

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-11-30T21:29:00.203

Modified: 2017-12-20T18:52:42.920

Link: CVE-2017-1000406

JSON object: View

Redhat Information

No data.

CWE

CWE-254

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:23:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"name": "[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2017/q4/320"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-1000406", "REQUESTER": "lhinds@redhat.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151", "refsource": "CONFIRM", "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"name": "https://jira.opendaylight.org/browse/AAA-151", "refsource": "CONFIRM", "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"name": "[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2017/q4/320"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000406", "datePublished": "2022-10-03T16:23:10", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:23:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendaylight:karaf:0.6.1-carbon:*:*:*:*:*:*:*", "matchCriteriaId": "C997D199-86BB-44F2-82E8-38FB0A7D3C20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}, {"lang": "es", "value": "OpenDaylight Karaf 0.6.1-Carbon no limpia la memoria cach\u00e9 despu\u00e9s de un cambio de contrase\u00f1a, permitiendo el uso de la contrase\u00f1a antigua hasta que la memoria cach\u00e9 Karaf se limpie manualmente (por ejemplo, mediante reinicio)."}], "id": "CVE-2017-1000406", "lastModified": "2017-12-20T18:52:42.920", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-30T21:29:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2017/q4/320"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.opendaylight.org/browse/AAA-151"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}