Description
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
Remediation
References
https://gerrit.onosproject.org/#/c/18779/
http://gms.cl0udz.com/ONOS_Vul.pdf
Related Vulnerabilities
CVE-2021-34078 Vulnerability in npm package lifion-verify-deps
CVE-2023-31716 Vulnerability in npm package @frangoteam/fuxa
CVE-2023-26149 Vulnerability in npm package quill-mention
CVE-2022-26585 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2021-46062 Vulnerability in maven package net.mingsoft:ms-mcms