CVE-2019-12122
published 2020-03-18CVE-2019-12122: An issue was discovered in ONAP Portal through Dublin. By executing a call to ONAPPORTAL/portalApi/loggedinUser, an attacker who possesses a user's cookie may…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.58%
43.1th percentile
An issue was discovered in ONAP Portal through Dublin. By executing a call to ONAPPORTAL/portalApi/loggedinUser, an attacker who possesses a user's cookie may retrieve that user's password from the database. All Portal setups are affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onap | open_network_automation_platform | >= 3.0.0 < 4.0.0 | 4.0.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rwrh-x97c-rfp7: An issue was discovered in ONAP Portal through Dublin
ghsa_unreviewed·2022-05-24
CVE-2019-12122 [MEDIUM] GHSA-rwrh-x97c-rfp7: An issue was discovered in ONAP Portal through Dublin
An issue was discovered in ONAP Portal through Dublin. By executing a call to ONAPPORTAL/portalApi/loggedinUser, an attacker who possesses a user's cookie may retrieve that user's password from the database. All Portal setups are affected.
Red Hat
nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
vendor_redhat·2019-02-28·CVSS 7.5
CVE-2019-5737 [HIGH] CWE-400 nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-18
Published