VYPR
Vendor

Onosproject

Products
5
CVEs
17
Across products
17
Status
Private

Products

5

Recent CVEs

17
  • CVE-2018-1000616CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.01

    ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS…

  • CVE-2018-1000614CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.02

    ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks…

  • CVE-2017-1000081CriJul 17, 2017
    risk 0.64cvss 9.8epss 0.03

    Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution.

  • CVE-2018-1000615HigJul 9, 2018
    risk 0.49cvss 7.5epss 0.01

    ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via…

  • CVE-2015-7516HigAug 24, 2017
    risk 0.49cvss 7.5epss 0.04

    ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870).

  • CVE-2017-1000080HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets.

  • CVE-2017-1000079HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Linux foundation ONOS 1.9.0 is vulnerable to a DoS.

  • CVE-2018-12691MedJul 5, 2018
    risk 0.44cvss 6.8epss 0.01

    Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.

  • CVE-2017-13763HigAug 30, 2017
    risk 0.42cvss 7.5epss 0.01

    ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.

  • CVE-2017-13762MedAug 30, 2017
    risk 0.40cvss 6.1epss 0.01

    ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.

  • CVE-2017-1000078MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration

  • CVE-2025-30077MedMar 16, 2025
    risk 0.33cvss 6.2epss 0.00

    Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.

  • CVE-2024-53423May 29, 2025
    risk 0.00cvss epss 0.00

    An issue in Open Network Foundation ONOS v2.7.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted packets.

  • CVE-2023-41591May 29, 2025
    risk 0.00cvss epss 0.00

    An issue in Open Network Foundation ONOS v2.7.0 allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake and real hosts.

  • CVE-2025-29310Mar 24, 2025
    risk 0.00cvss epss 0.01

    An issue in onos v2.7.0 allows attackers to trigger a packet deserialization problem when supplying a crafted LLDP packet. This vulnerability allows attackers to execute arbitrary commands or access network information.

  • CVE-2025-29312Mar 24, 2025
    risk 0.00cvss epss 0.00

    An issue in onos v2.7.0 allows attackers to trigger unexpected behavior within a device connected to a legacy switch via changing the link type from indirect to direct.

  • CVE-2019-16302Feb 20, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Open Network Operating System (ONOS) 1.14. In the Ethernet VPN application (org.onosproject.evpnopenflow), the host event listener does not handle the following event types: HOST_MOVED, HOST_UPDATED. In combination with other applications, this could…