{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-0815","assignerOrgId":"70b007e9-5235-4ee5-90b5-a71a81beeda0","state":"PUBLISHED","assignerShortName":"OpenNMS","dateReserved":"2023-02-13T18:59:43.516Z","datePublished":"2023-02-23T14:52:05.792Z","dateUpdated":"2025-03-11T18:24:39.053Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Jetty","Log4j2"],"platforms":["Windows","Linux","MacOS"],"product":"Meridian","programFiles":["https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"],"programRoutines":[{"name":"log4j2.xml"}],"repo":"https://github.com/OpenNMS","vendor":"The OpenNMS Group ","versions":[{"lessThan":"2020.1.32","status":"affected","version":"2020.1.0","versionType":"git"},{"lessThan":"2021.1.24","status":"affected","version":"2021.1.0","versionType":"git"},{"lessThan":"2022.1.13","status":"affected","version":"2022.1.0","versionType":"git"}]},{"defaultStatus":"unknown","modules":["Jetty","Log4j2"],"platforms":["Windows","Linux","MacOS"],"product":"Horizon","programFiles":["https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"],"programRoutines":[{"name":"log4j2.xml"}],"repo":"https://github.com/OpenNMS","vendor":"The OpenNMS Group","versions":[{"lessThan":"31.0.4","status":"affected","version":"26.0.0","versionType":"git"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">Potential Insertion of Sensitive Information into </span><span style=\"background-color: rgb(255, 255, 255);\">Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug.&nbsp;</span>Users\nshould upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and\nHorizon installation instructions state that they are intended for installation\nwithin an organization's private networks and should not be directly accessible\nfrom the Internet.<span style=\"background-color: rgb(255, 255, 255);\"><br>\n\n\n\n\n</span><br>"}],"value":"Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users\nshould upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and\nHorizon installation instructions state that they are intended for installation\nwithin an organization's private networks and should not be directly accessible\nfrom the Internet.\n\n\n\n\n\n\n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-532","description":"CWE-532 Insertion of Sensitive Information into Log File","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"70b007e9-5235-4ee5-90b5-a71a81beeda0","shortName":"OpenNMS","dateUpdated":"2023-02-27T18:58:26.046Z"},"references":[{"url":"https://github.com/OpenNMS/opennms/pull/5741/files"},{"url":"https://docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(244, 245, 247);\">&lt;</span><span style=\"background-color: rgb(244, 245, 247);\">logger</span> <span style=\"background-color: rgb(244, 245, 247);\">name</span><span style=\"background-color: rgb(244, 245, 247);\">=</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">org.eclipse.jetty.server.HttpInput</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span> <span style=\"background-color: rgb(244, 245, 247);\">additivity</span><span style=\"background-color: rgb(244, 245, 247);\">=</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">false</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span> <span style=\"background-color: rgb(244, 245, 247);\">level</span><span style=\"background-color: rgb(244, 245, 247);\">=</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">INFO</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">&gt;</span>\n<span style=\"background-color: rgb(244, 245, 247);\">2</span> <br> <span style=\"background-color: rgb(244, 245, 247);\">&lt;</span><span style=\"background-color: rgb(244, 245, 247);\">appender-ref</span> <span style=\"background-color: rgb(244, 245, 247);\">ref</span><span style=\"background-color: rgb(244, 245, 247);\">=</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">RoutingAppender</span><span style=\"background-color: rgb(244, 245, 247);\">\"</span><span style=\"background-color: rgb(244, 245, 247);\">/&gt;</span>\n<span style=\"background-color: rgb(244, 245, 247);\">3<br></span><span style=\"background-color: rgb(244, 245, 247);\">&lt;/</span><span style=\"background-color: rgb(244, 245, 247);\">logger</span><span style=\"background-color: rgb(244, 245, 247);\">&gt;<br><br><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/OpenNMS/opennms/pull/5741\">https://github.com/OpenNMS/opennms/pull/5741<br><br></a>or upgrade to a newer version of Meridian or Horizon. <br></span><br>"}],"value":"<logger name=\"org.eclipse.jetty.server.HttpInput\" additivity=\"false\" level=\"INFO\">\n2 \n <appender-ref ref=\"RoutingAppender\"/>\n3\n</logger>\n\n https://github.com/OpenNMS/opennms/pull/5741\n\n https://github.com/OpenNMS/opennms/pull/5741 or upgrade to a newer version of Meridian or Horizon. \n\n"}],"source":{"discovery":"INTERNAL"},"title":"Plaintext Password Present in the Web logs","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T05:24:34.493Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/OpenNMS/opennms/pull/5741/files","tags":["x_transferred"]},{"url":"https://docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-11T18:24:22.248673Z","id":"CVE-2023-0815","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-11T18:24:39.053Z"}}]}}