CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
31.5%
Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug.Β Users
should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and
Horizon installation instructions state that they are intended for installation
within an organizationβs private networks and should not be directly accessible
from the Internet.
[
{
"defaultStatus": "unaffected",
"modules": [
"Jetty",
"Log4j2"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Meridian",
"programFiles": [
"https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"
],
"programRoutines": [
{
"name": "log4j2.xml"
}
],
"repo": "https://github.com/OpenNMS",
"vendor": "The OpenNMS Group ",
"versions": [
{
"lessThan": "2020.1.32",
"status": "affected",
"version": "2020.1.0",
"versionType": "git"
},
{
"lessThan": "2021.1.24",
"status": "affected",
"version": "2021.1.0",
"versionType": "git"
},
{
"lessThan": "2022.1.13",
"status": "affected",
"version": "2022.1.0",
"versionType": "git"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"Jetty",
"Log4j2"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "Horizon",
"programFiles": [
"https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"
],
"programRoutines": [
{
"name": "log4j2.xml"
}
],
"repo": "https://github.com/OpenNMS",
"vendor": "The OpenNMS Group",
"versions": [
{
"lessThan": "31.0.4",
"status": "affected",
"version": "26.0.0",
"versionType": "git"
}
]
}
]