CVE-2020-12760
HIGHOpenNMS Horizon <26.0.1, Meridian <2018.1.19 & 2019 <2019.1.7 - Rem...
Title source: llmDescription
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
References (5)
Core 5
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/
Release Notes, Vendor Advisory x_refsource_misc
https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/
Release Notes, Vendor Advisory x_refsource_misc
https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/
Release Notes x_refsource_misc
https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1
Vendor Advisory x_refsource_misc
https://issues.opennms.org/browse/NMS-12673
Scores
CVSS v3
8.8
EPSS
0.0341
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (3)
opennms/opennms_horizon
< 26.1.0
opennms/opennms_meridian
< 2018.1.19
org.opennms.core/org.opennms.core.daemon
0 - 26.0.1Maven
Published
May 11, 2020
Tracked Since
Feb 18, 2026