CVE-2021-3396: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 24, 2022 (updated August 3, 2023)

OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.

References

github.com/OpenNMS/opennms/pull/3281
github.com/advisories/GHSA-c3mp-9vx3-2rvv
issues.opennms.org/browse/NMS-13103
nvd.nist.gov/vuln/detail/CVE-2021-3396
www.opennms.com/en/blog/2021-02-16-cve-2021-3396-full-security-disclosure/

Code Behaviors & Features

Detect and mitigate CVE-2021-3396 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →