This page lists publicly disclosed CVE vulnerabilities affecting opennetworking onos (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-53423 | An issue in Open Network Foundation ONOS v2.7.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted packets. | [email protected] | 5.6 | 0.24% | 2025-05-29 | 2026-06-17 |
| CVE-2023-41591 | An issue in Open Network Foundation ONOS v2.7.0 allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake and real hosts. | [email protected] | 9.8 | 0.29% | 2025-05-29 | 2026-06-17 |
| CVE-2025-29312 | An issue in onos v2.7.0 allows attackers to trigger unexpected behavior within a device connected to a legacy switch via changing the link type from indirect to direct. | [email protected] | 9.1 | 0.42% | 2025-03-24 | 2026-06-17 |
| CVE-2025-29311 | Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets. | [email protected] | 7.5 | 0.32% | 2025-03-24 | 2026-06-17 |
| CVE-2025-29310 | An issue in onos v2.7.0 allows attackers to trigger a packet deserialization problem when supplying a crafted LLDP packet. This vulnerability allows attackers to execute arbitrary commands or access network information. | [email protected] | 9.8 | 0.48% | 2025-03-24 | 2026-06-17 |
| CVE-2022-29944 | An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of paths installed by intents. An existing intents does not redirect to a new path, even if a new intent that shares the path with higher priority is installed. | [email protected] | 5.3 | 0.76% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29609 | An issue was discovered in ONOS 2.5.1. An intent with the same source and destination shows the INSTALLING state, indicating that its flow rules are installing. Improper handling of such an intent is misleading to a network operator. | [email protected] | 5.3 | 0.57% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29608 | An issue was discovered in ONOS 2.5.1. An intent with a port that is an intermediate point of its path installs an invalid flow rule, causing a network loop. | [email protected] | 7.5 | 0.87% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29607 | An issue was discovered in ONOS 2.5.1. Modification of an existing intent to have the same source and destination shows the INSTALLED state without any flow rule. Improper handling of such an intent is misleading to a network operator. | [email protected] | 7.5 | 0.67% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29606 | An issue was discovered in ONOS 2.5.1. An intent with a large port number shows the CORRUPT state, which is misleading to a network operator. Improper handling of such port numbers causes inconsistency between intent and flow rules in the network. | [email protected] | 9.8 | 0.99% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29605 | An issue was discovered in ONOS 2.5.1. IntentManager attempts to install the IPv6 flow rules of an intent into an OpenFlow 1.0 switch that does not support IPv6. Improper handling of the difference in capabilities of the intent and switch is misleading to a network operator. | [email protected] | 7.5 | 0.65% | 2023-04-20 | 2026-06-17 |
| CVE-2022-29604 | An issue was discovered in ONOS 2.5.1. An intent with an uppercase letter in a device ID shows the CORRUPT state, which is misleading to a network operator. Improper handling of case sensitivity causes inconsistency between intent and flow rules in the network. | [email protected] | 9.8 | 1.01% | 2023-04-20 | 2026-06-17 |
| CVE-2022-24109 | An issue was discovered in ONOS 2.5.1. To attack an intent installed by a normal user, a remote attacker can install a duplicate intent with a different key, and then remove the duplicate one. This will remove the flow rules of the intent, even though the intent still exists in the controller. | [email protected] | 6.5 | 0.85% | 2023-04-20 | 2026-06-17 |
| CVE-2022-24035 | An issue was discovered in ONOS 2.5.1. The purge-requested intent remains on the list, but it does not respond to changes in topology (e.g., link failure). In combination with other applications, it could lead to a failure of network management. | [email protected] | 7.5 | 0.86% | 2023-04-20 | 2026-06-17 |
| CVE-2021-38364 | An issue was discovered in ONOS 2.5.1. There is an incorrect comparison of flow rules installed by intents. A remote attacker can install or remove a new intent, and consequently modify or delete the existing flow rules related to other intents. | [email protected] | 6.5 | 0.85% | 2023-04-20 | 2026-06-17 |
| CVE-2021-38363 | An issue was discovered in ONOS 2.5.1. In IntentManager, the install-requested intent (which causes an exception) remains in pendingMap (in memory) forever. Deletion is possible neither by a user nor by the intermittent Intent Cleanup process. | [email protected] | 7.5 | 0.65% | 2023-04-20 | 2026-06-17 |
| CVE-2023-24279 | A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard. | [email protected] | 6.1 | 0.62% | 2023-03-13 | 2026-06-17 |
| CVE-2019-11189 | Authentication Bypass by Spoofing in org.onosproject.acl (access control) and org.onosproject.mobility (host mobility) in ONOS v2.0 and earlier allows attackers to bypass network access control via data plane packet injection. To exploit the vulnerability, an attacker sends a gratuitous ARP reply that causes the host mobility application to remove existing access control flow denial rules in the network. The access control application does not re-install flow deny rules, so the attacker can bypa | [email protected] | 7.5 | 1.05% | 2020-02-20 | 2026-06-16 |
| CVE-2018-1999020 | Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier version contains a Directory Traversal vulnerability in core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java line 35 that can result in arbitrary file deletion (overwrite). This attack appear to be exploitable via a specially crafted zip file should be uploaded. | [email protected] | 5.5 | 1.28% | 2018-07-23 | 2026-06-16 |