OpenNMS Meridian/Horizon Log Injection via Jetty before 2023.1.0/31.0.4
CVE-2023-0815 Published on February 23, 2023
Plaintext Password Present in the Web logs
Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Vulnerability Analysis
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Products Associated with CVE-2023-0815
Want to know whenever a new CVE is published for Opennms products? stack.watch will email you.
Affected Versions
The OpenNMS Group Meridian:- Version 2020.1.0 and below 2020.1.32 is affected.
- Version 2021.1.0 and below 2021.1.24 is affected.
- Version 2022.1.0 and below 2022.1.13 is affected.
- Version 26.0.0 and below 31.0.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.