Search criteria
3 vulnerabilities found for opennms_horizon by opennms
FKIE_CVE-2020-12760
Vulnerability from fkie_nvd - Published: 2020-05-11 16:15 - Updated: 2024-11-21 05:00
Severity ?
Summary
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opennms | opennms_horizon | * | |
| opennms | opennms_meridian | * | |
| opennms | opennms_meridian | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opennms:opennms_horizon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C90319-F2D3-420A-8A20-6F31691339C7",
"versionEndExcluding": "26.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opennms:opennms_meridian:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC5C193A-1194-41C8-AE5D-4E2F6E3984D7",
"versionEndExcluding": "2018.1.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opennms:opennms_meridian:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C95DA0CC-9548-40FE-8806-AF54A51B442A",
"versionEndExcluding": "2019.1.7",
"versionStartIncluding": "2019",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en OpenNMS Horizon versiones anteriores a 26.0.1 y Meridian versiones anteriores a 2018.1.19 y versiones 2019 anteriores a 2019.1.7. La configuraci\u00f3n del canal ActiveMQ permiti\u00f3 la deserializaci\u00f3n arbitraria de objetos Java (tambi\u00e9n se conoce cmo deserializaci\u00f3n de la carga \u00fatil de ActiveMQ Minion), conllevando a una ejecuci\u00f3n de c\u00f3digo remota para cualquier usuario del canal autenticado, sin importar sus permisos asignados."
}
],
"id": "CVE-2020-12760",
"lastModified": "2024-11-21T05:00:13.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-11T16:15:13.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-12760 (GCVE-0-2020-12760)
Vulnerability from cvelistv5 – Published: 2020-05-11 15:54 – Updated: 2024-08-04 12:04
VLAI?
Summary
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-11T15:54:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"name": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1",
"refsource": "MISC",
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"name": "https://issues.opennms.org/browse/NMS-12673",
"refsource": "MISC",
"url": "https://issues.opennms.org/browse/NMS-12673"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12760",
"datePublished": "2020-05-11T15:54:33",
"dateReserved": "2020-05-09T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12760 (GCVE-0-2020-12760)
Vulnerability from nvd – Published: 2020-05-11 15:54 – Updated: 2024-08-04 12:04
VLAI?
Summary
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-11T15:54:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.opennms.org/browse/NMS-12673"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/"
},
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/"
},
{
"name": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/",
"refsource": "MISC",
"url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/"
},
{
"name": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1",
"refsource": "MISC",
"url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
},
{
"name": "https://issues.opennms.org/browse/NMS-12673",
"refsource": "MISC",
"url": "https://issues.opennms.org/browse/NMS-12673"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12760",
"datePublished": "2020-05-11T15:54:33",
"dateReserved": "2020-05-09T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}