PT-2020-18338 · Openhab · Openhab

Kaikreuzer

Published

2020-02-20

Updated

2020-02-26

CVE-2020-5242

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions openHAB versions prior to 2.5.2

Description The issue allows a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2, all commands need to be whitelisted in a local file which cannot be changed via REST calls.

Recommendations For versions prior to 2.5.2, update to version 2.5.2 or later to ensure that commands are whitelisted in a local file and cannot be changed via REST calls. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.

Fix

Incorrect Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-284

Related Identifiers

CVE-2020-5242

GHSA-W698-693G-23HV

Affected Products

Openhab

PT-2020-18338 · Openhab · Openhab

CVE-2020-5242

Weakness Enumeration

Related Identifiers

Affected Products

References · 5