CVE-2020-12760

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.

• CWE-502

• https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1Release Notes
• https://issues.opennms.org/browse/NMS-12673Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/Release Notes, Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/Release Notes, Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/Release Notes, Vendor Advisory
• https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1Release Notes
• https://issues.opennms.org/browse/NMS-12673Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released/Release Notes, Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released/Release Notes, Vendor Advisory
• https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released/Release Notes, Vendor Advisory

Published

May 11, 2020

Last Modified

Jun 17, 2026

Status

Modified