CVE-2024-46943

An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
opendaylightauthentication\,_authorization_and_accounting
𝑥
≤ 0.19.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html
https://doi.org/10.48550/arXiv.2408.16940
https://lf-opendaylight.atlassian.net/browse/AAA-285