CVE-2023-0871

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://docs.opennms.com/horizon/32/releasenotes/changelog.html	Release Notes
https://github.com/OpenNMS/opennms/pull/6355	Patch
https://docs.opennms.com/horizon/32/releasenotes/changelog.html	Release Notes
https://github.com/OpenNMS/opennms/pull/6355	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opennms:horizon::::::::
	cpe:2.3:a:opennms:horizon:31.0.8:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:opennms:meridian::::::::
	cpe:2.3:a:opennms:meridian::::::::
	cpe:2.3:a:opennms:meridian::::::::
	cpe:2.3:a:opennms:meridian::::::::

History

No history.

Information

Published : 2023-08-11 17:15

Updated : 2024-11-21 07:38

NVD link : CVE-2023-0871

Mitre link : CVE-2023-0871

CVE.ORG link : CVE-2023-0871

JSON object : View

Products Affected

opennms

horizon
meridian

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-0871", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@opennms.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-08-11T17:15:08.980", "references": [{"url": "https://docs.opennms.com/horizon/32/releasenotes/changelog.html", "tags": ["Release Notes"], "source": "security@opennms.com"}, {"url": "https://github.com/OpenNMS/opennms/pull/6355", "tags": ["Patch"], "source": "security@opennms.com"}, {"url": "https://docs.opennms.com/horizon/32/releasenotes/changelog.html", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/OpenNMS/opennms/pull/6355", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@opennms.com", "description": [{"lang": "en", "value": "CWE-611"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms\u00a0is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services.\u00a0The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.\u00a0OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue.\n"}], "lastModified": "2024-11-21T07:38:00.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E348236-BC02-4334-8F84-AC9F91C3D0AD", "versionEndExcluding": "32.0.2", "versionStartIncluding": "32.0.0"}, {"criteria": "cpe:2.3:a:opennms:horizon:31.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB86992A-06FF-4B7D-BFD3-FC04DFC96FBC"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6B9CB53-0A8C-4DB4-85E8-E0F81D6168AC", "versionEndExcluding": "2020.1.38", "versionStartIncluding": "2020.0.0"}, {"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BAB4DC97-9047-4302-90A0-4711AE93D364", "versionEndExcluding": "2021.1.30", "versionStartIncluding": "2021.0.0"}, {"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "230DB641-455F-4F55-AFB2-1E6D974EE080", "versionEndExcluding": "2022.1.9", "versionStartIncluding": "2022.1.0"}, {"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9822AB30-2205-496D-952D-A0CFF409B72F", "versionEndExcluding": "2023.1.6", "versionStartIncluding": "2023.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@opennms.com"}