Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wY3dwLTI2cHctajk4d84AA-gi
CometVisu Backend for openHAB has a path traversal vulnerability
openHAB's CometVisuServlet is susceptible to an unauthenticated path traversal vulnerability.
Local files on the server can be requested via HTTP GET on the CometVisuServlet.
This vulnerability was discovered with the help of CodeQL's Uncontrolled data used in path expression query.
Impact
This issue may lead to Information Disclosure.
Permalink: https://github.com/advisories/GHSA-pcwp-26pw-j98wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wY3dwLTI2cHctajk4d84AA-gi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-pcwp-26pw-j98w, CVE-2024-42468
References:
- https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w
- https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2
- https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75
- https://nvd.nist.gov/vuln/detail/CVE-2024-42468
- https://github.com/advisories/GHSA-pcwp-26pw-j98w
Blast Radius: 1.0
Affected Packages
maven:org.openhab.ui.bundles:org.openhab.ui.cometvisu
Affected Version Ranges: <= 4.2.0Fixed in: 4.2.1