CVE-2023-40313: 
Java vulnerability analysis and mitigation

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The vulnerability was disclosed on August 17, 2023. The affected systems include OpenMNS Horizon versions before 32.0.2 and related Meridian versions (NVD).

The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H according to NVD assessment. The CNA (The OpenNMS Group) assessed it with a Base Score of 7.1 (HIGH) with vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L. The vulnerability is related to a BeanShell interpreter running in remote server mode that could allow arbitrary code execution (NVD).

The vulnerability could allow an attacker to execute arbitrary remote Java code on affected systems. This poses a significant security risk as it could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the system (NVD).

The solution is to upgrade to one of the following versions: Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. It's important to note that Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet (Changelog).

The vulnerability was addressed as part of security fixes in release 32.0.2, which included disabling the BeanShell interpreter remote server mode (Changelog).