CVE-2020-12760 – org.opennms.core:org.opennms.core.daemon

Package

Manager: maven
Name: org.opennms.core:org.opennms.core.daemon
Vulnerable Version: >=0 <26.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01554 pctl0.80753

Details

OpenNMS Horizon RCE via Unsafe Deserialization An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.

Metadata

Created: 2022-05-24T17:17:36Z
Modified: 2023-08-21T19:53:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-853f-x27w-8r74/GHSA-853f-x27w-8r74.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-853f-x27w-8r74
Finding: F096
Auto approve: 1