PT-2020-9295 · Onap · Onap Sdc+1

Published

2020-03-18

Updated

2020-03-20

CVE-2019-12131

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions ONAP APPC versions through Dublin ONAP SDC versions through Dublin

Description An issue allows an attacker to impersonate an arbitrary existing user without authentication by setting the USER ID parameter in an HTTP header. All APPC and SDC setups are affected.

Recommendations For ONAP APPC versions through Dublin, consider restricting access to the USER ID parameter in HTTP headers until a fix is available. For ONAP SDC versions through Dublin, avoid using the USER ID parameter in HTTP headers until the issue is resolved. As a temporary workaround, consider disabling the ability to set the USER ID parameter in HTTP headers for all APPC and SDC setups until a patch is available.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2019-12131

Affected Products

Onap Appc

Onap Sdc

PT-2020-9295 · Onap · Onap Sdc+1

CVE-2019-12131

Weakness Enumeration

Related Identifiers

Affected Products

References · 4