Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w5gq-xrrp-3fxf: OpenNMS privilege elevation vulnerability

The Horizon REST API includes a users endpoint in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.

OpenNMS thanks Erik Wynter for reporting this issue.

ghsa
#vulnerability#web#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-0872

OpenNMS privilege elevation vulnerability

High severity GitHub Reviewed Published Aug 14, 2023 to the GitHub Advisory Database • Updated Aug 14, 2023

Package

maven org.opennms:opennms-webapp-rest (Maven)

Affected versions

>= 31.0.8, < 32.0.2

Published to the GitHub Advisory Database

Aug 14, 2023

Last updated

Aug 14, 2023

Related news

OpenNMS Horizon 31.0.7 Remote Command Execution

This Metasploit module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges. In that case, the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872 if necessary. This module has been successfully tested against OpenNMS version 31.0.7.

CVE-2023-0872: NMS-15703: Do not allow ROLE_REST to modify users by fooker · Pull Request #6354 · OpenNMS/opennms

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.