💉 CVE-2020-11886: HQL Injection in the NodeListController

Security researcher J. Moritz and D.Brinkrofl from RIPS Technologies thankfully reported security issues in our OpenNMS Horizon and Meridian versions. In particular, a critical HQL injection which we have documented in CVE-2020-11886. OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm.

This issue affects the following versions:

  • Horizon before 25.2.1
  • Meridian 2019 before 2019.1.4
  • Meridian 2018 before 2018.1.16
  • Meridian 2017 before 2017.1.21

This issue is fixed in versions:

  • Horizon 25.2.1
  • Meridian 2019.1.4
  • Meridian 2018.1.16
  • Meridian 2017.1.21