icon

We found results for “

CVE-2021-25931

Date: May 20, 2021

Overview

in OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1--meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.

Details

The “modify user” settings feature in OpenNMS is vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.

PoC Details

Login to the application as admin and create a new user “A Normal User” with “ROLE_USER” permissions. Login with the newly created user “A Normal User" and visit ‘opennms/admin/ng-requisitions/index.jsp#/requisitions’. Access is denied when visiting the above page as it is an admin-only page. Logout from “A Normal User" and login back as “admin". Visit the page where the POC html page (given below) is located. Request is sent on behalf of Admin. Logout from “Admin" and login as “A Normal User" and visit an admin only page ‘opennms/admin/ng-requisitions/index.jsp#/requisitions’.

Affected Environments

opennms-1-0-stable, opennms-1.0.1 through opennms-27.1.0-1, meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1

Prevention

Upgrade to Horizon 27.1.1, Meridian 2020.1.7 or Meridian 2019.1.19

Language: Java

Good to know:

icon

Cross-Site Request Forgery (CSRF)

CWE-352
icon

Upgrade Version

Upgrade to version org.opennms:opennms:27.1.1, org.opennms:opennms-config:27.1.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: