CVE-2023-0872 Vulnerability Details

  /     /     /  

CVE-2023-0872 Metadata Quick Info

CVE Published: 14/08/2023 | CVE Updated: 03/10/2024 | CVE Year: 2023
Source: OpenNMS | Vendor: The OpenNMS Group | Product: Horizon
Status : PUBLISHED

---

CVE-2023-0872 Description

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization\'s private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

Metrics

CVSS Version: 3.1 | Base Score: 8.2 HIGH
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* ADJACENT_NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* HIGH
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-269
CWE Name: CWE-269 Improper Privilege Management
Source: The OpenNMS Group

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-233
CAPEC Description: CAPEC-233 Privilege Escalation


Source: NVD (National Vulnerability Database).