CVE-2023-0872

Name of the Vulnerable Software and Affected Versions OpenMNS Horizon versions 31.0.8 through 32.0.2 Meridian (affected versions not specified)

Description The Horizon REST API includes a "users" endpoint that is vulnerable to elevation of privilege. The solution is to upgrade to a newer version. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

Recommendations For OpenMNS Horizon versions 31.0.8 through 32.0.2, upgrade to Horizon 32.0.2 or newer. For Meridian, upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, or 2020.1.38. As a temporary workaround, consider restricting access to the "users" endpoint in the Horizon REST API until a patch is available.