Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jM21wLTl2eDMtMnJ2ds4AAnm4
OpenNMS Horizon RCE via JEXL2 expression
OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.
Permalink: https://github.com/advisories/GHSA-c3mp-9vx3-2rvvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jM21wLTl2eDMtMnJ2ds4AAnm4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-c3mp-9vx3-2rvv, CVE-2021-3396
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3396
- https://www.opennms.com/en/blog/2021-02-16-cve-2021-3396-full-security-disclosure/
- https://github.com/OpenNMS/opennms/pull/3281
- https://issues.opennms.org/browse/NMS-13103
- https://github.com/advisories/GHSA-c3mp-9vx3-2rvv
Blast Radius: 11.8
Affected Packages
maven:org.opennms:opennms-util
Dependent packages: 2Dependent repositories: 22
Downloads:
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
All affected versions:
All unaffected versions: 31.0.3, 31.0.4, 31.0.5, 31.0.6, 31.0.7, 31.0.8, 31.0.9, 32.0.0, 32.0.1, 32.0.2, 32.0.3, 32.0.4, 32.0.5, 32.0.6, 33.0.0, 33.0.1, 33.0.2, 33.0.3
maven:org.opennms:opennms-provision
Affected Version Ranges: >= 16.0.0, <= 27.0.3Fixed in: 27.0.4
maven:org.opennms.features:org.opennms.features.measurements
Affected Version Ranges: >= 16.0.0, <= 27.0.3Fixed in: 27.0.4
maven:org.opennms:opennms
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 16.0.0, <= 27.0.3
Fixed in: 27.0.4
All affected versions:
All unaffected versions: 31.0.3