The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.
[
{
"cpes": [
"cpe:2.3:a:linuxfoundation:opendaylight:0.15.3:*:*:*:*:*:*:*"
],
"vendor": "linuxfoundation",
"product": "opendaylight",
"versions": [
{
"status": "affected",
"version": "0.15.3"
}
],
"defaultStatus": "unknown"
}
]