CVE-2025-29315: 
Java vulnerability analysis and mitigation

An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request. The vulnerability was discovered and disclosed on March 24, 2025 (NVD, CSDN Blog).

The vulnerability stems from coarse-grained URL-to-role mapping and lack of context-aware authorization checks in the Shiro configuration model. The static RBAC model fails to validate dynamic context such as resource ownership or session state, enabling unauthorized cross-tenant access. Additionally, wildcard URL patterns further expand the attack surface by bypassing subpath-specific policies. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-284 (Improper Access Control) (NVD).

The vulnerability can lead to multiple severe impacts: privilege escalation allowing ordinary users to gain administrative-level access, unauthorized data breaches exposing sensitive SFC information including user data and network topology, and service interruption through modification or deletion of critical Service Function Chain components (CSDN Blog).