Description
Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Remediation
References
https://docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13
https://github.com/OpenNMS/opennms/pull/5741/files
Related Vulnerabilities
CVE-2021-20190 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2023-46244 Vulnerability in maven package org.xwiki.platform:xwiki-platform-display-api
CVE-2023-32081 Vulnerability in maven package io.vertx:vertx-stomp
CVE-2022-29577 Vulnerability in maven package org.owasp:antisamy
CVE-2021-3223 Vulnerability in npm package node-red-dashboard