Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycWM4LXI2NjMtdjg2NM4AA1Qr
OpenNMS Horizon XXE Injection Vulnerability
XXE injection in /rtc/post/ endpoint in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycWM4LXI2NjMtdjg2NM4AA1Qr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
EPSS Percentage: 0.00048
EPSS Percentile: 0.19539
Identifiers: GHSA-2qc8-r663-v864, CVE-2023-0871
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0871
- https://github.com/OpenNMS/opennms/pull/6355
- https://docs.opennms.com/horizon/32/releasenotes/changelog.html
- https://github.com/OpenNMS/opennms/commit/5a3b0b62e0c612c9e2aa2c91c847abec71d767d5
- https://github.com/advisories/GHSA-2qc8-r663-v864
Blast Radius: 1.0
Affected Packages
maven:org.opennms.core:org.opennms.core.xml
Affected Version Ranges: >= 31.0.8, < 32.0.2Fixed in: 32.0.2