PT-2018-17295 · Green Electronics · Rainmachine Mini-8

Sam Granger

Published

2018-11-01

Updated

2019-02-22

CVE-2018-6012

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Green Electronics RainMachine Mini-8 (2nd generation)

Description: The issue concerns the 'Weather Service' feature, which allows an attacker to inject arbitrary Python code. This is possible via the 'Add new weather data source' upload function.

Recommendations: For the Green Electronics RainMachine Mini-8 (2nd generation), consider disabling the 'Add new weather data source' upload function in the 'Weather Service' feature until a patch is available. Restrict access to this feature to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2018-6012

Affected Products

Rainmachine Mini-8

PT-2018-17295 · Green Electronics · Rainmachine Mini-8

CVE-2018-6012

Weakness Enumeration

Related Identifiers

Affected Products

References · 3