Moderate severityNVD Advisory· Published Feb 23, 2023· Updated Mar 11, 2025

Plaintext Password Present in the Web logs

CVE-2023-0815

Description

Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opennms:opennmsMaven	< 31.0.4	31.0.4

Affected products

ghsa-coords
pkg:maven/org.opennms/opennms
Range: < 31.0.4
The OpenNMS Group/Horizonv5
Range: 26.0.0
The OpenNMS Group/Meridianv5
Range: 2020.1.0

Patches

Vulnerability mechanics

Root cause

"Missing explicit log-level configuration for Jetty's HttpInput logger causes sensitive request data (usernames and passwords) to be written to application logs when the root logger is set to DEBUG."

Attack vector

An attacker who can observe or access OpenNMS application log files can obtain usernames and passwords when the logging level is set to DEBUG. The advisory notes that OpenNMS is intended for installation within private networks and should not be directly accessible from the Internet, so the attack vector is local or network-adjacent access to log storage. No authentication or special privileges are required to read the logs if they are stored with weak permissions. The sensitive information is leaked passively through normal application operation when debug logging is enabled.

Affected code

The patch modifies `opennms-base-assembly/src/main/filtered/etc/log4j2.xml` by adding a new logger entry for `org.eclipse.jetty.server.HttpInput` at INFO level. Previously, Jetty's `HttpInput` logger was not explicitly configured, so it inherited the root logger's DEBUG level, which caused sensitive request data (including credentials) to be written into application logs.

What the fix does

The patch adds an explicit logger for `org.eclipse.jetty.server.HttpInput` at INFO level with `additivity="false"`, which prevents the logger from inheriting the root logger's DEBUG level. By capping the Jetty HTTP input logger at INFO, sensitive request data such as usernames and passwords that Jetty logs at DEBUG level are no longer written to the application logs. The `additivity="false"` attribute ensures the message is only sent to the RoutingAppender and not propagated to the root logger.

Preconditions

configThe OpenNMS instance must have its logging level set to DEBUG (the root logger defaults to DEBUG in the provided log4j2.xml).
authAn attacker must have read access to the application log files where Jetty HTTP input data is written.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9xpj-mvp2-3943ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-0815ghsaADVISORY
docs.opennms.com/meridian/2022/releasenotes/changelog.htmlghsaWEB
github.com/OpenNMS/opennms/pull/5741/filesghsaWEB
github.com/OpenNMS/opennms/releases/tag/opennms-31.0.4-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000