Lucene search

[email protected]CVE-2023-40313

HistoryAug 17, 2023 - 7:15 p.m.

CVE-2023-40313

2023-08-1719:15:13

[email protected]

web.nvd.nist.gov

cve-2023-40313

beanshell interpreter

remote server

openmns

horizon

vulnerability

code execution

remote code execution

upgrade

nvd

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.2%

JSON

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.

Affected configurations

NVD

Node

opennmshorizonRange<32.0.2

opennmsmeridianRange<2020.1.38

opennmsmeridianRange2021.1.0–2021.1.30

opennmsmeridianRange2022.1.0–2022.1.19

opennmsmeridianRange2023.1.0–2023.1.6

CPENameOperatorVersion
opennms:horizonopennms horizonlt32.0.2
opennms:meridianopennms meridianlt2020.1.38
opennms:meridianopennms meridianlt2021.1.30
opennms:meridianopennms meridianlt2022.1.19
opennms:meridianopennms meridianlt2023.1.6

CPE	Name	Operator	Version
opennms:horizon	opennms horizon	lt	32.0.2
opennms:meridian	opennms meridian	lt	2020.1.38
opennms:meridian	opennms meridian	lt	2021.1.30
opennms:meridian	opennms meridian	lt	2022.1.19
opennms:meridian	opennms meridian	lt	2023.1.6

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux"
    ],
    "product": "Horizon",
    "repo": "https://github.com/OpenNMS/opennms",
    "vendor": "The OpenNMS Group",
    "versions": [
      {
        "lessThan": "32.0.2",
        "status": "affected",
        "version": "29.0.4",
        "versionType": "maven"
      },
      {
        "lessThan": "29.0.4",
        "status": "unknown",
        "version": "0",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux"
    ],
    "product": "Meridian",
    "repo": "https://github.com/OpenNMS/opennms",
    "vendor": "The OpenNMS Group",
    "versions": [
      {
        "lessThanOrEqual": "2020.1.37",
        "status": "affected",
        "version": "2020.0.0",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "2021.1.29",
        "status": "affected",
        "version": "2021.0.0",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "2022.1.18",
        "status": "affected",
        "version": "2022.0.0",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "2023.1.5",
        "status": "affected",
        "version": "2023.0.0",
        "versionType": "maven"
      }
    ]
  }
]