CVE-2024-46943

EUVD-2024-2707
An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
opendaylightauthentication\,_authorization_and_accounting
𝑥
≤ 0.19.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html
https://doi.org/10.48550/arXiv.2408.16940
https://lf-opendaylight.atlassian.net/browse/AAA-285