Platform
java
Component
org.openhab.ui.bundles:org.openhab.ui.cometvisu
Fixed in
4.2.2
4.2.1
CVE-2024-42469 describes a critical Remote Code Execution (RCE) vulnerability discovered in the openHAB CometVisu component. This flaw allows attackers to overwrite files on the openHAB instance, potentially leading to complete system compromise. The vulnerability affects versions prior to 4.2.1 and was identified through CodeQL analysis. A fix is available in version 4.2.1.
The primary impact of CVE-2024-42469 is the potential for remote code execution. An attacker can exploit this vulnerability by overwriting files within the openHAB instance, particularly shell scripts that are subsequently executed. Successful exploitation could grant the attacker full control over the affected system, enabling them to steal sensitive data, install malware, or disrupt services. The lack of authentication for file system endpoints significantly increases the attack surface, making it easier for unauthorized individuals to exploit this vulnerability. The path traversal vulnerability allows attackers to write files outside of the intended directory, further amplifying the potential for damage.
CVE-2024-42469 was publicly disclosed on August 9, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. This vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
13.82% (94% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-42469 is to immediately upgrade to openHAB version 4.2.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the openHAB instance to only trusted sources. Implement strict file system permissions to limit the attacker's ability to overwrite critical files. Monitor file system activity for suspicious modifications. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block malicious requests attempting to exploit it. After upgrading, confirm the fix by attempting to access the vulnerable file endpoints with invalid paths to ensure access is denied.
Update openHAB to version 4.2.1 or higher. This version contains a fix for the path traversal vulnerability in the CometVisu add-on. The update will prevent the remote execution of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-42469 is a critical Remote Code Execution vulnerability in openHAB CometVisu, allowing attackers to overwrite files and potentially gain control of the system.
You are affected if you are running openHAB CometVisu versions prior to 4.2.1. Upgrade immediately to mitigate the risk.
Upgrade to openHAB version 4.2.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting network access and file system permissions.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation.
Refer to the official openHAB security advisory for detailed information and updates: [https://www.openhab.org/docs/security/](https://www.openhab.org/docs/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.