openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, CometVisu's file system endpoints don't require authentication and additionally the endpoint to update an existing file is susceptible to path traversal. This makes it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time, this vulnerability can allow remote code execution by an attacker. Users should upgrade to version 4.2.1 to receive a patch.
The file update endpoint in CometVisu does not require authentication, meaning any user on the network can use it. Additionally, the file path parameter is not properly validated, allowing an attacker to use path traversal sequences (e.g., '../') to escape outside the allowed directory. As a result, it is possible to overwrite any file accessible to the openHAB process on the server. If the overwritten file is a shell script executed later, the attacker gains the ability to execute remote code.
An attacker can overwrite critical system files or scripts on an openHAB instance, and in case of overwriting an executable script — take full control of the system through remote code execution (RCE).
The CometVisu plugin must be updated to version 4.2.1, which contains the fix. The patch is available in the openhab/openhab-webui repository (commit 630e8525).
openHAB with the CometVisu plugin (openhab-webui) installed in versions prior to 4.2.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenhab
APPOpenhab< 4.2.1
Related vulnerabilities
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformat...
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on Co...
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on Co...
openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before v...
openHAB CometVisu: SSRF i XSS prowadzące do RCE bez uwierzytelnienia