**Date:** 2019-05-28 **ID:** OSA-2019-008
**Title:** ONAP Portal allows to retrieve password of currently active user **CVE:** CVE-2019-12122 **Severity:** Important Affects ------- * Portal: Dublin and earlier Description ----------- Krzysztof Opasiak from Samsung reported a vulnerability in Portal. By executing a call to ONAPPORTAL/portalApi/loggedinUser an attacker who posses user's cookie may retrieve user's password from the database. All Portal setups are affected. Patches ------- * `88682 <https://gerrit.onap.org/r/c/portal/+/88682>`_ Credits ------- * Krzysztof Opasiak from Samsung References ---------- * `OJSI-65 <https://jira.onap.org/browse/OJSI-65>`_ * `CVE-2019-12122 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12122>`_ -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5030): https://lists.onap.org/g/onap-tsc/message/5030 Mute This Topic: https://lists.onap.org/mt/31822501/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
