Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-265

RESTCONF path segment with encoded forward slash returns 400

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Highest Highest
    • 0.16.10, 0.17.12, 0.18.2
    • 0.18.1
    • None
    • None

      The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed.

      For example,

      {
    "servlet": "org.glassfish.jersey.servlet.ServletContainer",
    "message": "Invalid request",
    "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
    "status": "400"
}

      This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash.

        1. karaf-debug.log.xz
          214 kB

            rovarga Robert Varga
            sangwookha Sangwook Ha
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: