Vulnerability Details : CVE-2017-1000406
OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).
Products affected by CVE-2017-1000406
- cpe:2.3:a:opendaylight:karaf:0.6.1-carbon:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000406
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1000406
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-1000406
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000406
-
https://git.opendaylight.org/gerrit/#/q/topic:AAA-151
Vendor Advisory
-
http://seclists.org/oss-sec/2017/q4/320
oss-sec: OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)Mailing List;Third Party Advisory
-
https://jira.opendaylight.org/browse/AAA-151
[AAA-151] Previous password continues to work after password change - OpenDaylight JIRAIssue Tracking;Vendor Advisory
Jump to