{"id":"CVE-2023-0870","details":"A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.\n","aliases":["GHSA-jxr6-7qg5-8wv6"],"modified":"2026-02-11T14:44:29.522206Z","published":"2023-03-22T19:15:11.817Z","references":[{"type":"ADVISORY","url":"https://docs.opennms.com/meridian/2023/releasenotes/changelog.html#releasenotes-changelog-Meridian-2023.1.1"},{"type":"FIX","url":"https://github.com/OpenNMS/opennms/pull/5835/files"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennms/opennms","events":[{"introduced":"0"},{"fixed":"c869ac19eb49215bfdbcf4a2a7220716db696dd4"},{"introduced":"0d3624eadab83197935d675b014fa7d8190e0258"},{"fixed":"e36df90dbecad93f8c6d25de40ee402b77e23c58"},{"introduced":"2b771b66f9eeaf9b60dd3d8af2833d4bae66bf08"},{"fixed":"84b4a9917258ab8a56ad770ccfba4f775b5a32a3"},{"introduced":"85e3e796e0953e602941e8fcd6ccaab36f00cacb"},{"fixed":"c8268647096da22bb467fb5a0a6b92bb103fc374"}]}],"versions":["meridian-foundation-2019.1.31-1","meridian-foundation-2019.1.32-1","meridian-foundation-2019.1.33-1","meridian-foundation-2019.1.34-1","meridian-foundation-2019.1.35-1","meridian-foundation-2019.1.36-1","meridian-foundation-2019.1.37-1","meridian-foundation-2019.1.38-1","meridian-foundation-2019.1.39-1","meridian-foundation-2019.1.40-1","meridian-foundation-2020.1.20-1","meridian-foundation-2020.1.21-1","meridian-foundation-2020.1.22-1","meridian-foundation-2020.1.23-1","meridian-foundation-2020.1.24-1","meridian-foundation-2020.1.25-1","meridian-foundation-2020.1.26-1","meridian-foundation-2020.1.27-1","meridian-foundation-2020.1.28-1","meridian-foundation-2020.1.29-1","meridian-foundation-2020.1.30-1","meridian-foundation-2020.1.31-1","meridian-foundation-2020.1.32-1","meridian-foundation-2020.1.33-1","meridian-foundation-2020.1.34-1","meridian-foundation-2021.1.12-1","meridian-foundation-2021.1.14-1","meridian-foundation-2021.1.15-1","meridian-foundation-2021.1.16-1","meridian-foundation-2021.1.17-1","meridian-foundation-2021.1.18-1","meridian-foundation-2021.1.19-1","meridian-foundation-2021.1.20-1","meridian-foundation-2021.1.21-1","meridian-foundation-2021.1.22-1","meridian-foundation-2021.1.23-1","meridian-foundation-2021.1.24-1","meridian-foundation-2021.1.25-1","meridian-foundation-2021.1.26-1","meridian-foundation-2022.1.0-1","meridian-foundation-2022.1.1-1","meridian-foundation-2022.1.10-1","meridian-foundation-2022.1.11-1","meridian-foundation-2022.1.12-1","meridian-foundation-2022.1.13-1","meridian-foundation-2022.1.14-1","meridian-foundation-2022.1.15-1","meridian-foundation-2022.1.2-1","meridian-foundation-2022.1.3-1","meridian-foundation-2022.1.4-1","meridian-foundation-2022.1.5-1","meridian-foundation-2022.1.6-1","meridian-foundation-2022.1.7-1","meridian-foundation-2022.1.8-1","meridian-foundation-2022.1.9-1","meridian-foundation-2023.1.0-1","meridian-foundation-2023.1.1-1","opennms-29.0.10-1","opennms-29.0.6-1","opennms-29.0.7-1","opennms-29.0.8-1","opennms-29.0.9-1","opennms-30.0.0-1","opennms-30.0.1-1","opennms-30.0.2-1","opennms-30.0.3-1","opennms-30.0.4-1","opennms-31.0.0-1","opennms-31.0.1-1","opennms-31.0.2-1","opennms-31.0.3-1","opennms-31.0.4-1","opennms-31.0.5-1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","target":{"file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java"},"digest":{"line_hashes":["23136064305974959507363420800670550611","292015173477044714786176247128172123664","29507206020182196750159541926726832067","289273862543051196620066023069107212341"],"threshold":0.9},"id":"CVE-2023-0870-e1ca2707","signature_type":"Line","source":"https://github.com/opennms/opennms/commit/c869ac19eb49215bfdbcf4a2a7220716db696dd4"},{"deprecated":false,"signature_version":"v1","target":{"function":"getFrameworkUrl","file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java"},"digest":{"function_hash":"168779852667996611681406272899533616011","length":185},"id":"CVE-2023-0870-e293e665","signature_type":"Function","source":"https://github.com/opennms/opennms/commit/c869ac19eb49215bfdbcf4a2a7220716db696dd4"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-0870.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}]}