The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
OpenNMS thanks Erik Wynter for reporting this issue.
References
Link | Resource |
---|---|
https://docs.opennms.com/horizon/32/releasenotes/changelog.html | Release Notes |
https://github.com/OpenNMS/opennms/pull/6354 | Patch |
https://docs.opennms.com/horizon/32/releasenotes/changelog.html | Release Notes |
https://github.com/OpenNMS/opennms/pull/6354 | Patch |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:38
Type | Values Removed | Values Added |
---|---|---|
References | () https://docs.opennms.com/horizon/32/releasenotes/changelog.html - Release Notes | |
References | () https://github.com/OpenNMS/opennms/pull/6354 - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.2 |
21 Aug 2023, 17:12
Type | Values Removed | Values Added |
---|---|---|
First Time |
Opennms
Opennms horizon Opennms meridian |
|
CPE | cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:* |
|
CWE | NVD-CWE-noinfo | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.0 |
References | (MISC) https://github.com/OpenNMS/opennms/pull/6354 - Patch | |
References | (MISC) https://docs.opennms.com/horizon/32/releasenotes/changelog.html - Release Notes |
14 Aug 2023, 18:59
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-14 18:15
Updated : 2024-11-21 07:38
NVD link : CVE-2023-0872
Mitre link : CVE-2023-0872
CVE.ORG link : CVE-2023-0872
JSON object : View
Products Affected
opennms
- meridian
- horizon
CWE