CVE-2024-42469

Name of the Vulnerable Software and Affected Versions openHAB versions prior to 4.2.1

Description The issue concerns the CometVisu add-on of openHAB, which has file system endpoints that do not require authentication. Additionally, the endpoint to update an existing file is susceptible to path traversal, making it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time, this can allow remote code execution by an attacker.

Recommendations For openHAB versions prior to 4.2.1, upgrade to version 4.2.1 to receive a patch. As a temporary workaround, consider restricting access to the file system endpoints to minimize the risk of exploitation. Avoid using the endpoint to update an existing file until the issue is resolved.