GHSA-5m5f-qg8r-p9qf

Suggest an improvement
Source
https://github.com/advisories/GHSA-5m5f-qg8r-p9qf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-5m5f-qg8r-p9qf/GHSA-5m5f-qg8r-p9qf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5m5f-qg8r-p9qf
Aliases
Published
2023-08-17T21:30:53Z
Modified
2023-11-01T05:02:48.581594Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
OpenNMS vulnerable to remote code execution
Details

A BeanShell interpreter in remote server mode runs in OpenNMS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Database specific
{
    "nvd_published_at": "2023-08-17T19:15:13Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-18T21:51:39Z"
}
References

Affected packages

Maven / org.opennms:opennms-base-assembly

Package

Name
org.opennms:opennms-base-assembly
View open source insights on deps.dev
Purl
pkg:maven/org.opennms/opennms-base-assembly

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
32.0.2