CRITICAL🇵🇱 Wersja polska

CVE-2024-42467

CVSS 10.0v3.1pub. 2024-08-12upd. 2024-08-29

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.

🤖 AI Analysis
How it works

An attacker without any authentication can send requests to the CometVisu proxy endpoint, forcing the server to initiate GET requests to internal network resources not publicly accessible (SSRF). Additionally, the attacker can redirect the proxy request to a server controlled by them and return a page with malicious JavaScript code, which will be executed in the context of the CometVisu interface (XSS). An example attack vector is tricking an openHAB administrator into clicking a crafted link, which through the proxy injects malicious JavaScript executed with CometVisu UI privileges, allowing interaction with openHAB server endpoints even in a private network.

Impact

An attacker can gain access to internal network resources (SSRF), execute malicious JavaScript code in the victim's browser (XSS), and in a chaining scenario with other vulnerabilities — lead to full Remote Code Execution on the openHAB server.

Mitigation & patch

The CometVisu addon should be updated to version 4.2.1 or newer, in which access to the proxy endpoint requires authentication. Patch available in the openHAB GitHub repository (commit 630e8525835c698cf58856aa43782d92b18087f2)

Who is affected

openHAB with the CometVisu addon installed in versions prior to 4.2.1, especially when the openHAB server is exposed to a public or semi-public network

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Openhab Web Interface

    APP
    Openhab
    < 4.2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXSSSSRF
CWE
References

Related vulnerabilities

CVE-2024-42469CRITICAL9.8PL ✓ten sam vendor

openHAB CometVisu: path traversal umożliwiający RCE bez uwierzytelnienia

CVE-2020-5242HIGH7.7ten sam vendor

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformat...

CVE-2024-42468MEDIUM5.3ten sam vendor

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on Co...

CVE-2024-42470MEDIUM6.5ten sam vendor

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on Co...

CVE-2021-21266MEDIUM6.4ten sam vendor

openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before v...