CVE-2023-0815

Summary

Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Affected Software

VendorProductVersion RangeStatus
The OpenNMS GroupMeridian2020.1.0 < 2020.1.32affected
The OpenNMS GroupMeridian2021.1.0 < 2021.1.24affected
The OpenNMS GroupMeridian2022.1.0 < 2022.1.13affected
The OpenNMS GroupHorizon26.0.0 < 31.0.4affected

Weaknesses

  • CWE-532: CWE-532 Insertion of Sensitive Information into Log File

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References