Security Vulnerabilities - CVEs Published In April 2023
An issue was discovered in ONOS 2.5.1. Modification of an existing intent to have the same source and destination shows the INSTALLED state without any flow rule. Improper handling of such an intent is misleading to a network operator.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. An intent with a port that is an intermediate point of its path installs an invalid flow rule, causing a network loop.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. An intent with the same source and destination shows the INSTALLING state, indicating that its flow rules are installing. Improper handling of such an intent is misleading to a network operator.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of paths installed by intents. An existing intents does not redirect to a new path, even if a new intent that shares the path with higher priority is installed.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. In IntentManager, the install-requested intent (which causes an exception) remains in pendingMap (in memory) forever. Deletion is possible neither by a user nor by the intermittent Intent Cleanup process.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of flow rules installed by intents. A remote attacker can install or remove a new intent, and consequently modify or delete the existing flow rules related to other intents.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. The purge-requested intent remains on the list, but it does not respond to changes in topology (e.g., link failure). In combination with other applications, it could lead to a failure of network management.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-04-20
An issue was discovered in ONOS 2.5.1. To attack an intent installed by a normal user, a remote attacker can install a duplicate intent with a different key, and then remove the duplicate one. This will remove the flow rules of the intent, even though the intent still exists in the controller.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-04-20
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
CVSS Score
4.3
EPSS Score
0.04
Published
2023-04-20
Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0.
CVSS Score
3.6
EPSS Score
0.0
Published
2023-04-20