PT-2020-13250 · Opennms+1 · Opennms Horizon+2

Florian Hauser

Published

2020-05-11

Updated

2022-05-24

CVE-2020-12760

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions prior to 26.0.1 OpenNMS Meridian versions prior to 2018.1.19 OpenNMS Meridian 2019 versions prior to 2019.1.7

Description An issue allows for arbitrary deserialization of Java objects, leading to remote code execution for any authenticated channel user regardless of its assigned permissions. This is related to the ActiveMQ channel configuration and affects authenticated users.

Recommendations For OpenNMS Horizon versions prior to 26.0.1, update to version 26.0.1 or later. For OpenNMS Meridian versions prior to 2018.1.19, update to version 2018.1.19 or later. For OpenNMS Meridian 2019 versions prior to 2019.1.7, update to version 2019.1.7 or later.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2020-12760

GHSA-853F-X27W-8R74

Affected Products

Activemq

Opennms Horizon

Opennms Meridian

PT-2020-13250 · Opennms+1 · Opennms Horizon+2

CVE-2020-12760

Weakness Enumeration

Related Identifiers

Affected Products

References · 11