Описание
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
Ссылки
- Release Notes
- Vendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release Notes
- Vendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 26.1.0 (исключая)Версия до 2018.1.19 (исключая)Версия от 2019 (включая) до 2019.1.7 (исключая)
Одно из
cpe:2.3:a:opennms:opennms_horizon:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:opennms_meridian:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:opennms_meridian:*:*:*:*:*:*:*:*
EPSS
Процентиль: 81%
0.01503
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 8.8
debian
больше 5 лет назад
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian ...
EPSS
Процентиль: 81%
0.01503
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-502