Arbitrary Remote BSH Code Exec in OpenMNS Horizon <32.0.2 / Meridian
CVE-2023-40313 Published on August 17, 2023

Disable BeanShell Interpreter Remote Server Mode
A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2023-40313 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2023-40313

stack.watch emails you whenever new vulnerabilities are published in Opennms Horizon or Opennms Meridian. Just hit a watch button to start following.

Opennms Horizon
 
Opennms Meridian
 

Affected Versions

The OpenNMS Group Horizon: The OpenNMS Group Meridian: opennms horizon: opennms meridian:

Exploit Probability

EPSS
0.06%
Percentile
19.93%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.