CVE-2019-12122

Name of the Vulnerable Software and Affected Versions ONAP Portal through Dublin

Description An issue was discovered in ONAP Portal, where an attacker who possesses a user's cookie may retrieve that user's password from the database by executing a call to "ONAPPORTAL/portalApi/loggedinUser". All Portal setups are affected.

Recommendations For ONAP Portal through Dublin, consider restricting access to the "ONAPPORTAL/portalApi/loggedinUser" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the cookie variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.