#security-status: confirmed-leaked

This issue has been confirmed as a security vulnerability in
OpenDayLight AAA. Unfortunately the details of this flaw have been
made public. Therefore it cannot be fixed under the OpenDaylight
embargoed security vulnerability process. As this issue is now public
it is important that the flaw is addressed in a timely manner. The
OpenDaylight security team will ensure that a CVE is assigned for this issue.

Vaibhav Hemant Dixit reported the following security vulnerability to the security mailing list:

Severity : OPENDAYLIGHT AUTHENTICATION BREACHED

Issue: After updating the password, the login is successful with both OLD and NEW passwords
Controller: Distribution Version: distribution-karaf-0.6.1-Carbon.tar.gz

Steps to reproduce:

Start the controller.
Install feature on Karaf: "feature:install odl-aaa-cli "
Changed the admin password :
_aaa:change-user-pwd -user admin
Enter current password:
Enter new password:
admin's password has been changed_

Observation:

The admin user can authenticate using both OLD and NEW passwords.
Execute a REST call with OLD and new password, the authentication is successful.
If the controller is shutdown and restarted, the issue is not seen anymore.