{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-07-08T00:00:00", "descriptions": [{"lang": "en", "value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:21:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://gerrit.onosproject.org/#/c/18894/"}, {"tags": ["x_refsource_MISC"], "url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-07-08T15:52:41.194245", "DATE_REQUESTED": "2018-06-28T03:02:59", "ID": "CVE-2018-1000616", "REQUESTER": "f3i@t00ls.net", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gerrit.onosproject.org/#/c/18894/", "refsource": "CONFIRM", "url": "https://gerrit.onosproject.org/#/c/18894/"}, {"name": "http://gms.cl0udz.com/Openconfig_xxe.pdf", "refsource": "MISC", "url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000616", "datePublished": "2022-10-03T16:21:59", "dateReserved": "2018-06-28T00:00:00", "dateUpdated": "2022-10-03T16:21:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*", "matchCriteriaId": "07932239-88E0-45F0-988B-99BAF9761472", "versionEndIncluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."}, {"lang": "es", "value": "ONOS ONOS Controller en versiones 1.13.1 y anteriores contiene una vulnerabilidad XXE (XML External Entity) en onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java en la funci\u00f3n loadxml() que puede resultar en en que un atacante puede ejecutar ataques XXE remotamente en el controlador ONOS mediante un dispositivo terminal OpenConfig. Este ataque parece ser explotable mediante conectividad de red."}], "id": "CVE-2018-1000616", "lastModified": "2018-09-04T15:34:39.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-09T20:29:00.503", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gerrit.onosproject.org/#/c/18894/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}