Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NTNmLXgyN3ctOHI3NM4AAkqN
OpenNMS Horizon RCE via Unsafe Deserialization
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
Permalink: https://github.com/advisories/GHSA-853f-x27w-8r74JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NTNmLXgyN3ctOHI3NM4AAkqN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-853f-x27w-8r74, CVE-2020-12760
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12760
- https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1
- https://issues.opennms.org/browse/NMS-12673
- https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/
- https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/
- https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/
- https://github.com/OpenNMS/opennms/pull/2983
- https://github.com/OpenNMS/opennms/commit/e21fc14ce355533493da0db815bd81a66e291382
- https://github.com/advisories/GHSA-853f-x27w-8r74
Blast Radius: 1.0
Affected Packages
maven:org.opennms.core:org.opennms.core.daemon
Affected Version Ranges: < 26.0.1Fixed in: 26.0.1