Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-240

SQL injection in the aaa-idm-store-h2 (deleteDomain function)


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Low Low
    • 0.17.0, 0.16.5, 0.15.8
    • 0.15.0, 0.16.0, 0.15.6, 0.16.4
    • None
    • ubuntu20.04, aaa version 0.17.0


      I am writing to report a vulnerability in one of the components of Opendaylight, aaa.

      With this bug, attackers can SQL inject the component's database(SQLite).

      The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java (deleteDomain function).

      As we can see, the aaa concats domainid information to build a delete SQL query, and it executes the query in SQLite.

      However, in line 197, the domainid(escaped) is a string. If the user calls the api interface /auth/v1/domains/ to add a malicious domain, and then calls the deleteDomain function to delete the domain, it will cause SQL injection.

      For example, he can call the api interface /auth/v1/domains/ with POST method, it will call the createDomain function to add a domain. If the domain name is:

      ' or 1=1--+

      Then call the api interface /auth/v1/domains/' or 1=1--+ with DELETE method, it will call the deleteDomain function to delete the domain. And the SQL query is:

      DELETE FROM AAA_DOMAINS WHERE domainid = ‘’ or 1=1—+’

      And all the elements in the AAA_DOMAINS table are removed due to this malicious query.

      Please consider fixing this security vulnerability as soon as possible.


      Best wishes,

      Chunyang Han

            rovarga Robert Varga
            anemone Han Chunyang
            0 Vote for this issue
            2 Start watching this issue


                Original Estimate - 2 weeks
                Remaining Estimate - 4 days
                Time Spent - Not Specified Time Not Required
                Not Specified