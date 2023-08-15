CyRC Vulnerability Advisory: CVE-2023-0871 Vulnerability in OpenNMS Horizon

Editorial Team

Authored by Black Duck Editorial Staff

Aug 15, 2023 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-0871, an XML external entity injection vulnerability, in OpenNMS Horizon.

OpenNMS is a Java language open source network monitoring platform. The OpenNMS platform monitors some of the largest networks in the Fortune 500, covering the healthcare, technology, energy, finance, government, education, retail, and industrial sectors, many with tens of thousands of networked devices.

OpenNMS comes in two open source distributions: Horizon (community release) and Meridian (enterprise release) with the AGPLv3 license. Additional components enhance the platform with distributed network monitoring (Minion), scalability (Sentinel), and scalable data persistence (Newts).

CVE-2023-0871

Due to a permissive XML parser configuration, the application is vulnerable to XML External Entity injection.

Exploitation

When sending a malicious HTTP request with XML payload, it is possible to exfiltrate files from the OpenNMS server file system or cause denial of service. The vulnerable HTTP endpoint requires user credentials for users with the role RTC.

Affected software

  • OpenNMS Horizon 0.8 and earlier versions

Impact

Exploitation of this vulnerability would lead to

  • Data leakage (XXE: blind local file inclusion)
  • Denial of service
  • Server-side request forgery (sending arbitrary HTTP requests to internal and external services)

CVSS Base Score: 8.8 (High)

CVSS 3.1 Vector:  AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

The data leakage is limited to textual files the application process is permitted to read, with one line of text.

Remediation

This vulnerability was fixed in the Horizon 32.0.2 and Meridian 2023.1.6 releases.

Discovery credit

This vulnerability was discovered by a Black Duck software engineer, Moshe Apelbaum from Israel using the Seeker® Interactive Application Security Testing (IAST) tool.

Timeline

  • June 22: Initial disclosure and confirmation of receipt
  • August 1: OpenNMS confirms patch finalized
  • August 9: OpenNMS releases patch
  • August 15: Black Duck publishes advisory

References

https://www.opennms.com/

https://github.com/OpenMS/OpenMS

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization in the US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Three steps to ensuring the reliability and security of your C++ projects

Three steps to ensuring the reliability and security of your C++ projects

Corey Hamilton
By Corey Hamilton

Jun 03, 2025 / 3 min read

Tags: SCA, Build Security into DevOps, SAST, DevSecOps
Black Duck Logo on Dark Background

How to secure AI-generated code with DevSecOps best practices

Steven Zimmerman
By Steven Zimmerman

May 08, 2025 / 3 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
security automation and integration

Security automation and integration can smooth AppSec friction

Steven Zimmerman
By Steven Zimmerman

Jan 23, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
Vulnerability Background Thumbnail

Overcome AST noise to find and fix software vulnerabilities

Steven Zimmerman
By Steven Zimmerman

Jan 06, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
AI widens gap between security and dev thumbnail

Artificial intelligence widens the gap between security and development

Steven Zimmerman
By Steven Zimmerman

Dec 01, 2024 / 7 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
Global DevSecOps Background Thumbnail Alt

Key insights from Black Duck’s 2024 Global State of DevSecOps report

Fred Bals
By Fred Bals

Oct 08, 2024 / 5 min read

Tags: Security News & Trends, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security