Onosproject Onos vulnerabilities
13 known vulnerabilities affecting onosproject/onos.
Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH5MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2017-1000081P2CRITICALCVSS 9.8v1.8.0v1.9.02017-07-17
CVE-2017-1000081 [CRITICAL] CWE-434 CVE-2017-1000081: Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting
Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution.
nvd
CVE-2019-13624P3CRITICALCVSS 9.8v1.15.02019-07-17
CVE-2019-13624 [CRITICAL] CWE-19 CVE-2019-13624: In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
nvd
CVE-2018-1000614P3CRITICALCVSS 9.8≤ 1.13.12018-07-09
CVE-2018-1000614 [CRITICAL] CWE-611 CVE-2018-1000614: ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability i
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to
nvd
CVE-2018-1000616P3CRITICALCVSS 9.8≤ 1.13.12018-07-09
CVE-2018-1000616 [CRITICAL] CWE-611 CVE-2018-1000616: ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability i
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to
nvd
CVE-2017-1000080P3HIGHCVSS 7.5v1.8.0v1.9.02017-07-17
CVE-2017-1000080 [HIGH] CVE-2017-1000080: Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets.
Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets.
nvd
CVE-2015-7516P3HIGHCVSS 7.5≤ 1.4.02017-08-24
CVE-2015-7516 [HIGH] CWE-476 CVE-2015-7516: ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL
ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870).
nvd
CVE-2018-1000615P3HIGHCVSS 7.5≤ 1.13.12018-07-09
CVE-2018-1000615 [HIGH] CVE-2018-1000615: ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnera
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..
nvd
CVE-2018-12691P4MEDIUMCVSS 6.8≤ 1.13.02018-07-05
CVE-2018-12691 [MEDIUM] CWE-362 CVE-2018-12691: Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control
Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.
nvd
CVE-2017-1000079P4HIGHCVSS 7.5v1.8.0v1.9.02017-07-17
CVE-2017-1000079 [HIGH] CVE-2017-1000079: Linux foundation ONOS 1.9.0 is vulnerable to a DoS.
Linux foundation ONOS 1.9.0 is vulnerable to a DoS.
nvd
CVE-2017-13763P4HIGHCVSS 7.5v1.8.0v1.9.0+1 more2017-08-30
CVE-2017-13763 [HIGH] CWE-770 CVE-2017-13763: ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty pay
ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.
nvd
CVE-2017-13762P4MEDIUMCVSS 6.1v1.8.0v1.9.0+1 more2017-08-30
CVE-2017-13762 [MEDIUM] CWE-79 CVE-2017-13762: ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
nvd
CVE-2017-1000078P4MEDIUMCVSS 6.1v1.8.0v1.9.02017-07-17
CVE-2017-1000078 [MEDIUM] CWE-79 CVE-2017-1000078: Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration
Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration
nvd
CVE-2023-30093P4MEDIUMCVSS 6.1≥ 1.9.0, ≤ 2.7.02023-05-04
CVE-2023-30093 [MEDIUM] CWE-79 CVE-2023-30093: A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to
A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard.
nvd