CVE-2021-25931
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-25931
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25931.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-25931
- Aliases
- Published
- 2021-05-20T15:15:07Z
- Modified
- 2025-10-21T06:06:33.220215Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at
/opennms/admin/userGroupView/users/updateUser. This flaw allows assigningROLE_ADMINsecurity role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website. - References
Affected packages
Git / github.com/opennms/opennms
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opennms/opennms
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
meridian-foundation-2015.*
meridian-foundation-2015.1.0-1
meridian-foundation-2015.1.1-1
meridian-foundation-2015.1.10-1
meridian-foundation-2015.1.2-1
meridian-foundation-2015.1.3-1
meridian-foundation-2015.1.4-1
meridian-foundation-2015.1.5-1
meridian-foundation-2015.1.6-1
meridian-foundation-2015.1.7-1
meridian-foundation-2016.*
meridian-foundation-2016.1.1-1
meridian-foundation-2016.1.10-1
meridian-foundation-2016.1.15-1
meridian-foundation-2016.1.2-1
meridian-foundation-2016.1.3-1
meridian-foundation-2016.1.4-1
meridian-foundation-2016.1.5-1
meridian-foundation-2016.1.6-1
meridian-foundation-2016.1.7-1
meridian-foundation-2016.1.9-1
meridian-foundation-2017.*
meridian-foundation-2017.1.0-1
meridian-foundation-2017.1.10-1
meridian-foundation-2017.1.2-1
meridian-foundation-2017.1.3-1
meridian-foundation-2017.1.4-1
meridian-foundation-2017.1.5-1
opennms-1.*
opennms-1.10.0-1
opennms-1.10.1-1
opennms-1.10.10-1
opennms-1.10.11-1
opennms-1.10.12-1
opennms-1.10.13-1
opennms-1.10.14-1
opennms-1.10.2-1
opennms-1.10.3-1
opennms-1.10.4-1
opennms-1.10.5-1
opennms-1.10.6-1
opennms-1.10.7-1
opennms-1.10.8-1
opennms-1.10.9-1
opennms-1.11.0-1
opennms-1.11.1-1
opennms-1.11.3-1
opennms-1.11.90-1
opennms-1.11.91-1
opennms-1.11.92-1
opennms-1.11.93-1
opennms-1.11.94-1
opennms-1.12.0-1
opennms-1.12.1-1
opennms-1.12.2-1
opennms-1.12.3-1
opennms-1.12.4-1
opennms-1.12.5-1
opennms-1.12.6-1
opennms-1.12.7-1
opennms-1.12.8-1
opennms-1.12.9-1
opennms-1.13.0-1
opennms-1.13.1-1
opennms-1.13.2-1
opennms-1.13.3-1
opennms-1.13.4-1
opennms-1.7.9
opennms-1.9.0-1
opennms-1.9.3-2
opennms-1.9.4-1
opennms-1.9.5-1
opennms-1.9.6-1
opennms-1.9.7-1
opennms-1.9.8-1
opennms-1.9.90-1
opennms-1.9.91-1
opennms-1.9.92-1
opennms-1.9.93-1
opennms-14.*
opennms-14.0.0-1
opennms-14.0.1-1
opennms-14.0.2-1
opennms-14.0.3-1
opennms-14.0.3-2
opennms-15.*
opennms-15.0.0-1
opennms-15.0.1-1
opennms-15.0.2-1
opennms-16.*
opennms-16.0.0-1
opennms-16.0.1-1
opennms-16.0.2-1
opennms-16.0.3-1
opennms-16.0.4-1
opennms-17.*
opennms-17.0.0-1
opennms-17.1.0-1
opennms-17.1.1-1
opennms-17.1.1-2
opennms-17.1.1-3
opennms-18.*
opennms-18.0.0-1
opennms-18.0.1-1
opennms-18.0.2-1
opennms-18.0.3-1
opennms-18.0.4-1
opennms-19.*
opennms-19.0.0-1
opennms-19.0.1-1
opennms-19.1.0-1
opennms-20.*
opennms-20.0.0-1
opennms-20.0.1-1
opennms-20.0.2-1
opennms-20.1.0-1
opennms-21.*
opennms-21.0.0-1
opennms-21.0.1-1
opennms-21.0.2-1
opennms-21.0.3-1
opennms-21.0.4-1
opennms-21.0.5-1
opennms-21.1.0-1
opennms-22.*
opennms-22.0.0-1
opennms-22.0.1-1
opennms-22.0.2-1
opennms-22.0.3-1
opennms-22.0.4-1
opennms-23.*
opennms-23.0.0-1
opennms-23.0.1-1
opennms-23.0.2-1
opennms-23.0.3-1
opennms-23.0.4-1
opennms-24.*
opennms-24.0.0-1
opennms-24.1.0-1
opennms-24.1.1-1
opennms-24.1.2-1
opennms-24.1.3-1
opennms-25.*
opennms-25.0.0-1
opennms-25.1.0-1
opennms-25.1.1-1
opennms-25.1.2-1
opennms-25.2.0-1
opennms-25.2.1-1
opennms-26.*
opennms-26.0.0-1
opennms-26.0.1-1
opennms-26.1.0-1
opennms-26.1.1-1
space-integration-12.*
space-integration-12.2-code-freeze
Database specific
vanir_signatures
[
{
"source": "https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84",
"id": "CVE-2021-25931-039acaa4",
"deprecated": false,
"target": {
"file": "opennms-config/src/main/java/org/opennms/netmgt/config/UserManager.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"92700676384225663476354717585169427211",
"19929735324529665988283800955997860286",
"99473602049054508292813906355778202933",
"135587879722184517390215416140588627160"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-04412c6e",
"deprecated": false,
"target": {
"function": "renameGroup",
"file": "opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"
},
"signature_version": "v1",
"digest": {
"length": 314.0,
"function_hash": "144759024573714915384785318319942410353"
},
"signature_type": "Function"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-26db798a",
"deprecated": false,
"target": {
"function": "doPost",
"file": "opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"
},
"signature_version": "v1",
"digest": {
"length": 378.0,
"function_hash": "140896969588649620875571293911303623336"
},
"signature_type": "Function"
},
{
"source": "https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84",
"id": "CVE-2021-25931-3bd8ad89",
"deprecated": false,
"target": {
"file": "smoke-test/src/test/java/org/opennms/smoketest/UserIT.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"20681234183258002295279676735796560978",
"133447658781509795682109003447829649209",
"68961282755823214253510235711551723968",
"327123241392702504662105124559304528530"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-756876d8",
"deprecated": false,
"target": {
"file": "opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"63862115445021482406981461159020448473",
"192790766046859987790732110517539223001",
"264559957673844931483714759827957494060",
"187562419973017837990659765287661653505"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-84167b85",
"deprecated": false,
"target": {
"file": "opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"89256397304596016052036103843694799455",
"228142828937052465100599374335507169788",
"253436531422684568205797174898232887867"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84",
"id": "CVE-2021-25931-95d911bf",
"deprecated": false,
"target": {
"function": "renameUser",
"file": "opennms-config/src/main/java/org/opennms/netmgt/config/UserManager.java"
},
"signature_version": "v1",
"digest": {
"length": 709.0,
"function_hash": "281642944037454003162199544108011162530"
},
"signature_type": "Function"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-b51ae946",
"deprecated": false,
"target": {
"file": "opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"58730506138354010431660930680209411599",
"131372045428180590852460578241088976601",
"107737349864204963929678012583384325367",
"6897653343869269317735066625920671701",
"220882383980174487142093456676728608479",
"52485355072899409265839311709820086238"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-cb44f906",
"deprecated": false,
"target": {
"function": "addGroup",
"file": "opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"
},
"signature_version": "v1",
"digest": {
"length": 610.0,
"function_hash": "296653347434168606010481034581794117613"
},
"signature_type": "Function"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-d4ce405d",
"deprecated": false,
"target": {
"file": "smoke-test/src/test/java/org/opennms/smoketest/UserIT.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"215985755002245887884707550113681684850",
"11438173654715828717935667960271049116",
"176681594848500904939248140376016076557"
]
},
"signature_type": "Line"
},
{
"source": "https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c",
"id": "CVE-2021-25931-eed35066",
"deprecated": false,
"target": {
"function": "doPost",
"file": "opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"
},
"signature_version": "v1",
"digest": {
"length": 1151.0,
"function_hash": "198479055700301882740520908056306576753"
},
"signature_type": "Function"
}
]