PT-2021-20367 · Opennms · Opennms Horizon+2

Artem Smotrakov

Published

2021-02-17

Updated

2022-07-12

CVE-2021-3396

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: OpenNMS Meridian versions 2016 through 2018 before 2018.1.25 OpenNMS Meridian versions 2019 before 2019.1.16 OpenNMS Meridian versions 2020 before 2020.1.5 OpenNMS Horizon versions 1.2 through 27.0.4 OpenNMS Newts versions prior to 1.5.3

Description: The issue allows for local and remote code execution using JEXL expressions due to incorrect access control.

Recommendations: For OpenNMS Meridian versions 2016 through 2018 before 2018.1.25, update to version 2018.1.25 or later. For OpenNMS Meridian versions 2019 before 2019.1.16, update to version 2019.1.16 or later. For OpenNMS Meridian versions 2020 before 2020.1.5, update to version 2020.1.5 or later. For OpenNMS Horizon versions 1.2 through 27.0.4, update to a version later than 27.0.4. For OpenNMS Newts versions prior to 1.5.3, update to version 1.5.3 or later.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-3396

GHSA-C3MP-9VX3-2RVV

Affected Products

Opennms Horizon

Opennms Meridian

Opennms Newts

PT-2021-20367 · Opennms · Opennms Horizon+2

CVE-2021-3396

Weakness Enumeration

Related Identifiers

Affected Products

References · 8