1. Home
  2. Vulnerabilities
  3. CVE-2023-0872

CVE-2023-0872

CVSS v3.1 8 (High)
80% Progress
EPSS 0.04 % (10th)
0.04% Progress
Affected Products 2
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

OpenNMS thanks Erik Wynter for reporting this issue.

Weaknesses
CWE-269
Improper Privilege Management
CWE-NVD-noinfo
CVE Status
PUBLISHED
CNA
The OpenNMS Group
Published Date
2023-08-14 18:15:10
(13 months ago)
Updated Date
2023-08-21 17:12:20
(13 months ago)

Affected Products

Opennms

Configuration #1

    CPE23 From Up To
  Opennms Horizon from 31.0.8 version and prior 32.0.2 version cpe:2.3:a:opennms:horizon >= 31.0.8 < 32.0.2
  Opennms Meridian from 2020.0.0 version and 2020.1.37 and prior versions cpe:2.3:a:opennms:meridian >= 2020.0.0 <= 2020.1.37
  Opennms Meridian from 2021.0.0 version and 2021.1.29 and prior versions cpe:2.3:a:opennms:meridian >= 2021.0.0 <= 2021.1.29
  Opennms Meridian from 2022.0.0 version and 2022.1.18 and prior versions cpe:2.3:a:opennms:meridian >= 2022.0.0 <= 2022.1.18
  Opennms Meridian from 2023.0.0 version and 2023.1.5 and prior versions cpe:2.3:a:opennms:meridian >= 2023.0.0 <= 2023.1.5