-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.opennms.core:org.opennms.core.daemon | maven | < 26.0.1 | 26.0.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the ActiveMQ configuration where the 'trustAllPackages' property was explicitly set to true. This setting disabled security protections against unsafe deserialization by telling ActiveMQ to trust all Java packages during object deserialization. The commit e21fc14 fixes this by removing this dangerous configuration parameter. While not a traditional function, this configuration directive directly enabled the insecure deserialization primitive that led to RCE. The high confidence comes from the direct correlation between this configuration change in the patch and the CWE-502 vulnerability description.