PT-2023-16544 · Eclipse+1 · Jetty+2
Published
2023-02-23
·
Updated
2023-03-07
·
CVE-2023-0815
CVSS v3.1
6.8
Medium
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenNMS Meridian versions prior to 2023.1.0
OpenNMS Horizon versions prior to 31.0.4
Description
The issue allows disclosure of usernames and passwords if the logging level is set to debug, potentially inserting sensitive information into Jetty log files. Users should be aware that OpenNMS Meridian and Horizon are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Recommendations
For OpenNMS Meridian versions prior to 2023.1.0, upgrade to Meridian 2023.1.0 or newer.
For OpenNMS Horizon versions prior to 31.0.4, upgrade to Horizon 31.0.4.
As a temporary workaround, consider setting the logging level to a value other than debug to minimize the risk of sensitive information disclosure.
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jetty
Opennms Horizon
Opennms Meridian