VYPR
Vendor

Opendaylight

Products
17
CVEs
33
Across products
43
Status
Private

Products

17

Recent CVEs

33
View all 33 CVEs →
  • CVE-2025-29315CriMar 24, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.

  • CVE-2018-1078CriMar 16, 2018
    risk 0.64cvss 9.8epss 0.01

    OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.

  • CVE-2015-1778CriJun 27, 2017
    risk 0.64cvss 9.8epss 0.03

    The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.

  • CVE-2026-36500CriJun 5, 2026
    risk 0.59cvss 9.1epss 0.01

    An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.

  • CVE-2024-37018CriMay 31, 2024
    risk 0.59cvss 9.1epss 0.00

    The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.

  • CVE-2014-8149HigJun 27, 2017
    risk 0.57cvss 8.8epss 0.02

    OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated users to write report data to arbitrary files.

  • CVE-2025-29314HigMar 24, 2025
    risk 0.53cvss 8.1epss 0.00

    Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

  • CVE-2026-36501HigJun 5, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.

  • CVE-2025-29313HigMar 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Use of incorrectly resolved name or reference in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to cause a Denial of Service (DoS).

  • CVE-2018-1132HigJun 20, 2018
    risk 0.49cvss 7.5epss 0.03

    A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series…

  • CVE-2017-1000411HigJan 31, 2018
    risk 0.49cvss 7.5epss 0.02

    OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with…

  • CVE-2017-1000406HigNov 30, 2017
    risk 0.49cvss 7.5epss 0.01

    OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).

  • CVE-2017-1000361HigApr 24, 2017
    risk 0.49cvss 7.5epss 0.01

    DOMRpcImplementationNotAvailableException when sending Port-Status packets to OpenDaylight. Controller launches exceptions and consumes more CPU resources. Component: OpenDaylight is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.

  • CVE-2017-1000357HigApr 24, 2017
    risk 0.49cvss 7.5epss 0.01

    Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 (Lithium-SR3), 3.4…

  • CVE-2015-1612HigApr 4, 2017
    risk 0.49cvss 7.5epss 0.02

    OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to the reuse of LLDP packets, aka "LLDP Relay."

  • CVE-2015-1611HigApr 4, 2017
    risk 0.49cvss 7.5epss 0.02

    OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to "fake LLDP injection."

  • CVE-2024-54411HigDec 16, 2024
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in hosting.io WP Controller wp-management-controller allows Stored XSS.This issue affects WP Controller: from n/a through <= 3.2.0.

  • CVE-2017-1000358MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    Controller throws an exception and does not allow user to add subsequent flow for a particular switch. Component: OpenDaylight odl-restconf feature contains this flaw. Version: OpenDaylight 4.0 is affected by this flaw.

  • CVE-2015-1857MedApr 27, 2018
    risk 0.35cvss 5.3epss 0.02

    The odl-mdsal-apidocs feature in OpenDaylight Helium allow remote attackers to obtain sensitive information by leveraging missing AAA restrictions.

  • CVE-2017-1000360MedApr 24, 2017
    risk 0.35cvss 5.3epss 0.01

    StreamCorruptedException and NullPointerException in OpenDaylight odl-mdsal-xsql. Controller launches exceptions in the console. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.