Lucene search

GoogleOSV:CVE-2023-0815

HistoryFeb 23, 2023 - 3:15 p.m.

CVE-2023-0815

2023-02-2315:15:10

Google

osv.dev

opennms

information disclosure

jetty log files

security vulnerability

usernames

passwords

debug logging

upgrade

installation instructions

private networks

CVSS3

6.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

31.5%

JSON

Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users
should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and
Horizon installation instructions state that they are intended for installation
within an organization’s private networks and should not be directly accessible
from the Internet.

References

docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13

github.com/OpenNMS/opennms/pull/5741/files

CVSS3

6.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

31.5%

JSON

Related for OSV:CVE-2023-0815