CVE-2025-29314
Published: 24 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-29314 is a vulnerability stemming from insecure Shiro cookie configurations in the OpenDaylight Service Function Chaining (SFC) Subproject, specifically affecting versions Sodium-SR4 and below. This flaw, associated with CWE-311 (Missing Encryption of Sensitive Data), enables attackers to access sensitive information through a man-in-the-middle (MITM) attack. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts over a network.
Attackers can exploit this vulnerability by positioning themselves between the victim and the OpenDaylight SFC service, requiring no user privileges or interaction but necessitating high attack complexity, such as compromising network traffic interception. Successful exploitation allows remote attackers to access sensitive information, potentially leading to high-level compromise of confidentiality, integrity, and availability of the affected service.
References to the vulnerability include blog posts on CSDN, but no specific details on advisories or patches are available in the provided information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Insecure Shiro cookie configurations with missing encryption (CWE-311) directly enable MITM attacks to intercept sensitive data, facilitating Adversary-in-the-Middle (T1557) and Steal Web Session Cookie (T1539).