{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-30T21:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"name": "[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2017/q4/320"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-1000406", "REQUESTER": "lhinds@redhat.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151", "refsource": "CONFIRM", "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"name": "https://jira.opendaylight.org/browse/AAA-151", "refsource": "CONFIRM", "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"name": "[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2017/q4/320"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:00:39.873Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"name": "[oss-security] 20171123 OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2017/q4/320"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000406", "datePublished": "2017-11-30T21:00:00Z", "dateReserved": "2017-11-30T00:00:00Z", "dateUpdated": "2024-09-16T20:02:38.468Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendaylight:karaf:0.6.1-carbon:*:*:*:*:*:*:*", "matchCriteriaId": "C997D199-86BB-44F2-82E8-38FB0A7D3C20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."}, {"lang": "es", "value": "OpenDaylight Karaf 0.6.1-Carbon no limpia la memoria cach\u00e9 despu\u00e9s de un cambio de contrase\u00f1a, permitiendo el uso de la contrase\u00f1a antigua hasta que la memoria cach\u00e9 Karaf se limpie manualmente (por ejemplo, mediante reinicio)."}], "id": "CVE-2017-1000406", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-30T21:29:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2017/q4/320"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.opendaylight.org/browse/AAA-151"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2017/q4/320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://git.opendaylight.org/gerrit/#/q/topic:AAA-151"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.opendaylight.org/browse/AAA-151"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Vaibhav Hemant Dixit (Arizona State University) for reporting this issue.", "bugzilla": {"description": "opendaylight: Previous password continues to work after password change", "id": "1530424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1530424"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-285", "details": ["OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).", "OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart)."], "name": "CVE-2017-1000406", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2017-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000406\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000406"], "threat_severity": "Moderate"}