I am writing to report a vulnerability in one of the components of Opendaylight, aaa.
With this bug, attackers can SQL inject the component's database(SQLite).
The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java (deleteUser function).
As we can see, the aaa concats userid information to build a delete SQL query, and it executes the query in SQLite.
However, in line 235, the userid(escaped) is a string. If the user calls the api interface /auth/v1/users/ to add a malicious user, and then calls the deleteUser function to delete the user, it will cause SQL injection.
For example, he can call the api interface /auth/v1/users/ with POST method, it will call the createUser function to add a user. If the user name is:
' or 1=1--+
Then call the api interface /auth/v1/users/' or 1=1--+@DOMAIN_ID with DELETE method, it will call the deleteUser function to delete the user. And the SQL query is:
DELETE FROM AAA_USERS WHERE userid = ‘’ or 1=1—+’@DOMAIN_ID
And all the elements in the AAA_USERS table are removed due to this malicious query.
Please consider fixing this security vulnerability as soon as possible.