Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jM21wLTl2eDMtMnJ2ds4AAnm4

OpenNMS Horizon RCE via JEXL2 expression

OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.

Permalink: https://github.com/advisories/GHSA-c3mp-9vx3-2rvv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jM21wLTl2eDMtMnJ2ds4AAnm4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00359
EPSS Percentile: 0.71867

Identifiers: GHSA-c3mp-9vx3-2rvv, CVE-2021-3396
References: Repository: https://github.com/OpenNMS/opennms
Blast Radius: 11.8

Affected Packages

maven:org.opennms:opennms-util
Dependent packages: 2
Dependent repositories: 22
Downloads:
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
All affected versions:
All unaffected versions: 31.0.3, 31.0.4, 31.0.5, 31.0.6, 31.0.7, 31.0.8, 31.0.9, 32.0.0, 32.0.1, 32.0.2, 32.0.3, 32.0.4, 32.0.5, 32.0.6, 33.0.0, 33.0.1, 33.0.2, 33.0.3, 33.0.4, 33.0.5, 33.0.6, 33.0.7, 33.0.8, 33.0.9, 33.0.10, 33.1.1
maven:org.opennms:opennms-provision
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
maven:org.opennms.features:org.opennms.features.measurements
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
maven:org.opennms:opennms
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
All affected versions:
All unaffected versions: 31.0.3