Home > Vulnerability Database > CVE-2023-0871

Mend.io Vulnerability Database

CVE-2023-0871

Good to know:

Date: August 11, 2023

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue.

Language: Java

Severity Score

6.1

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-0871

Url: https://github.com/OpenNMS/opennms/pull/6355

Url: https://docs.opennms.com/horizon/32/releasenotes/changelog.html

Url: https://www.mend.io/vulnerability-database/CVE-2023-0871

Severity Score

6.1

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

Upgrade Version

Upgrade to version opennms-32.0.2-1,meridian-foundation-2020.1.38-1,meridian-foundation-2021.1.30-1,meridian-foundation-2022.1.19-1,meridian-foundation-2023.1.6-1

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-0871

Good to know:

Date: August 11, 2023

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?