CRITICAL 9.8
GHSA-qm24-4869-99pj
Opendaylight will authenticate any username and password combination
Details
The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.opendaylight.odlparent:opendaylight-karaf-resources
Introduced in:
0 Fixed in: 0.2.3-Helium-SR3 Fix
# pom.xml: bump <version>0.2.3-Helium-SR3</version> for org.opendaylight.odlparent:opendaylight-karaf-resources References
- https://nvd.nist.gov/vuln/detail/CVE-2015-1778 [ADVISORY]
- https://web.archive.org/web/20150510044305/https://git.opendaylight.org/gerrit/#/c/16307 [WEB]
- https://web.archive.org/web/20150510044305/https://wiki.opendaylight.org/view/Security_Advisories#.5BImportant.5D_CVE-2015-1778_OpenDaylight:_authentication_bypass [WEB]
- github.com/opendaylight/odlparent [PACKAGE]
- http://www.openwall.com/lists/oss-security/2015/03/20/3 [WEB]