{"id":"CVE-2020-11886","details":"OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21.","modified":"2026-04-11T22:57:29.394742Z","published":"2020-04-17T20:15:12.160Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"2019"},{"fixed":"2019.1.4"}]}]},"references":[{"type":"ADVISORY","url":"https://issues.opennms.org/browse/NMS-12572"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennms/opennms","events":[{"introduced":"0"},{"fixed":"f96e10ca2c7b3234ee4bfcdc21c6b3fb053673b1"},{"fixed":"d92cd6d25e402e7847b7786d4adeb5d0dc278e40"},{"fixed":"8cc386bbbd072ee0d2a6d0607d30797e88b812f7"}],"database_specific":{"cpe":["cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*","cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"25.2.1"},{"introduced":"2017"},{"fixed":"2017.1.21"},{"introduced":"2018"},{"fixed":"2018.1.16"}]}}],"versions":["meridian-foundation-2017.1.1-1","meridian-foundation-2017.1.11-1","meridian-foundation-2017.1.12-1","meridian-foundation-2017.1.13-1","meridian-foundation-2017.1.14-1","meridian-foundation-2017.1.15-1","meridian-foundation-2017.1.16-1","meridian-foundation-2017.1.17-1","meridian-foundation-2017.1.18-1","meridian-foundation-2017.1.19-1","meridian-foundation-2017.1.20-1","meridian-foundation-2017.1.6-1","meridian-foundation-2017.1.7-1","meridian-foundation-2017.1.8-1","meridian-foundation-2017.1.9-1","meridian-foundation-2018.1.0-1","meridian-foundation-2018.1.1-1","meridian-foundation-2018.1.10-1","meridian-foundation-2018.1.11-1","meridian-foundation-2018.1.12-1","meridian-foundation-2018.1.13-1","meridian-foundation-2018.1.14-1","meridian-foundation-2018.1.15-1","meridian-foundation-2018.1.2-1","meridian-foundation-2018.1.3-1","meridian-foundation-2018.1.4-1","meridian-foundation-2018.1.5-1","meridian-foundation-2018.1.6-1","meridian-foundation-2018.1.7-1","meridian-foundation-2018.1.8-1","meridian-foundation-2018.1.9-1","opennms-1.11.1-1","opennms-1.11.3-1","opennms-1.13.2-1","opennms-1.9.0-1","opennms-1.9.4-1","opennms-1.9.93-1","opennms-20.0.0-1","opennms-21.0.0-1","opennms-21.0.1-1","opennms-21.0.2-1","opennms-21.0.3-1","opennms-21.0.4-1","opennms-21.0.5-1","opennms-25.0.0-1","opennms-25.1.0-1","opennms-25.1.1-1","opennms-25.1.2-1","opennms-25.2.0-1","space-integration-12.2-code-freeze"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["199311011637419260932170840270564976696","288836938368943419283143853669871973966","135718932720050354838971280479342424524","268173271453285545032913211756943992644"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/f96e10ca2c7b3234ee4bfcdc21c6b3fb053673b1","deprecated":false,"target":{"file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java"},"id":"CVE-2020-11886-7ba910b2"},{"signature_version":"v1","signature_type":"Function","digest":{"length":185,"function_hash":"169990158326267771928730985730669797968"},"source":"https://github.com/opennms/opennms/commit/f96e10ca2c7b3234ee4bfcdc21c6b3fb053673b1","deprecated":false,"target":{"file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java","function":"getFrameworkUrl"},"id":"CVE-2020-11886-fc81494f"}],"vanir_signatures_modified":"2026-04-11T22:57:29Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11886.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}