CVE-2020-12760

HIGH

OpenNMS Horizon <26.0.1, Meridian <2018.1.19 & 2019 <2019.1.7 - Rem...

Title source: llm

Description

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.

References (5)

Scores

CVSS v3 8.8
EPSS 0.0150
EPSS Percentile 80.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (3)

opennms/opennms_horizon < 26.1.0
opennms/opennms_meridian < 2018.1.19
org.opennms.core/org.opennms.core.daemon < 26.0.1Maven

Timeline

Published May 11, 2020
Tracked Since Feb 18, 2026