{"id":"CVE-2021-25930","details":"In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.","aliases":["GHSA-p63h-7hw8-5cw4"],"modified":"2026-04-11T13:54:00.025351Z","published":"2021-05-20T14:15:07.737Z","references":[{"type":"FIX","url":"https://github.com/OpenNMS/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84"},{"type":"FIX","url":"https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"type":"EVIDENCE","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25930"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennms/opennms","events":[{"introduced":"67c7635a68963a3005df7aedd41195eb23d9f41b"},{"fixed":"399ed865e66ec3cb60674c3e7ec8403309754dfb"},{"introduced":"9e5617454f5f5d44dcd2fff3a33b603038b52530"},{"fixed":"bfd3de5ac0f158e2e1a257d0ee30291281334e60"},{"introduced":"0d3624eadab83197935d675b014fa7d8190e0258"},{"fixed":"4ad904678528a4f8e26ae3e776b1009f6564be2e"},{"fixed":"607151ea8f90212a3fb37c977fa57c7d58d26a84"},{"fixed":"eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}],"database_specific":{"versions":[{"introduced":"1.0"},{"fixed":"27.1.1"},{"introduced":"2015.1.0"},{"fixed":"2019.1.19"},{"introduced":"2020.1.0"},{"fixed":"2020.1.7"}]}}],"versions":["meridian-foundation-2020.1.0-1","meridian-foundation-2020.1.1-1","meridian-foundation-2020.1.2-1","meridian-foundation-2020.1.3-1","meridian-foundation-2020.1.4-1","meridian-foundation-2020.1.5-1","meridian-foundation-2020.1.6-1"],"database_specific":{"vanir_signatures":[{"id":"CVE-2021-25930-025f01ec","signature_version":"v1","signature_type":"Line","target":{"file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java"},"deprecated":false,"digest":{"line_hashes":["274512322503962685663647942214031473657","239957005078604087605198069636665484125","51297086796185311165292000712741592405","89316630911645056401425776591707967796"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/399ed865e66ec3cb60674c3e7ec8403309754dfb"},{"id":"CVE-2021-25930-039acaa4","signature_version":"v1","signature_type":"Line","target":{"file":"opennms-config/src/main/java/org/opennms/netmgt/config/UserManager.java"},"deprecated":false,"digest":{"line_hashes":["92700676384225663476354717585169427211","19929735324529665988283800955997860286","99473602049054508292813906355778202933","135587879722184517390215416140588627160"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84"},{"id":"CVE-2021-25930-04412c6e","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java","function":"renameGroup"},"deprecated":false,"digest":{"length":314,"function_hash":"144759024573714915384785318319942410353"},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-26db798a","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java","function":"doPost"},"deprecated":false,"digest":{"length":378,"function_hash":"140896969588649620875571293911303623336"},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-3bd8ad89","signature_version":"v1","signature_type":"Line","target":{"file":"smoke-test/src/test/java/org/opennms/smoketest/UserIT.java"},"deprecated":false,"digest":{"line_hashes":["20681234183258002295279676735796560978","133447658781509795682109003447829649209","68961282755823214253510235711551723968","327123241392702504662105124559304528530"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84"},{"id":"CVE-2021-25930-756876d8","signature_version":"v1","signature_type":"Line","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"},"deprecated":false,"digest":{"line_hashes":["63862115445021482406981461159020448473","192790766046859987790732110517539223001","264559957673844931483714759827957494060","187562419973017837990659765287661653505"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-84167b85","signature_version":"v1","signature_type":"Line","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"},"deprecated":false,"digest":{"line_hashes":["89256397304596016052036103843694799455","228142828937052465100599374335507169788","253436531422684568205797174898232887867"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-8629809b","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java","function":"getFrameworkUrl"},"deprecated":false,"digest":{"length":185,"function_hash":"131658155818715672810866632343923060109"},"source":"https://github.com/opennms/opennms/commit/399ed865e66ec3cb60674c3e7ec8403309754dfb"},{"id":"CVE-2021-25930-95d911bf","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-config/src/main/java/org/opennms/netmgt/config/UserManager.java","function":"renameUser"},"deprecated":false,"digest":{"length":709,"function_hash":"281642944037454003162199544108011162530"},"source":"https://github.com/opennms/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84"},{"id":"CVE-2021-25930-b51ae946","signature_version":"v1","signature_type":"Line","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"deprecated":false,"digest":{"line_hashes":["58730506138354010431660930680209411599","131372045428180590852460578241088976601","107737349864204963929678012583384325367","6897653343869269317735066625920671701","220882383980174487142093456676728608479","52485355072899409265839311709820086238"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-cb44f906","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java","function":"addGroup"},"deprecated":false,"digest":{"length":610,"function_hash":"296653347434168606010481034581794117613"},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-d4ce405d","signature_version":"v1","signature_type":"Line","target":{"file":"smoke-test/src/test/java/org/opennms/smoketest/UserIT.java"},"deprecated":false,"digest":{"line_hashes":["215985755002245887884707550113681684850","11438173654715828717935667960271049116","176681594848500904939248140376016076557"],"threshold":0.9},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"id":"CVE-2021-25930-eed35066","signature_version":"v1","signature_type":"Function","target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java","function":"doPost"},"deprecated":false,"digest":{"length":1151,"function_hash":"198479055700301882740520908056306576753"},"source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}],"vanir_signatures_modified":"2026-04-11T13:54:00Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25930.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}