Cyber Resilience

CVE-2024-42469

Critical

Published: 12 August 2024

Published
12 August 2024
Modified
12 September 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1382 94.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42469 is a critical-severity Path Traversal (CWE-22) vulnerability in Openhab Openhab. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

openHAB is an open-source home automation platform whose CometVisu visualization add-on, prior to version 4.2.1, exposed unauthenticated file-system endpoints. One of these endpoints accepted updates to existing files and was vulnerable to path traversal (CWE-22), allowing arbitrary file writes on the underlying host without authentication or user interaction. The issue carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can therefore overwrite any file writable by the openHAB process. When the overwritten file is a shell script later executed by the server or an administrator, the attacker obtains remote code execution on the instance.

The project’s security advisory and the referenced commit in openhab-webui indicate that version 4.2.1 contains the fix; administrators are advised to upgrade the CometVisu add-on to that release. The EPSS score has remained flat at 0.1382 since disclosure, providing no evidence of increasing exploitation interest.

EU & UK References

Vulnerability details

openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, CometVisu's file system endpoints don't require authentication and additionally the endpoint to update an existing file is susceptible to path traversal.…

more

This makes it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time, this vulnerability can allow remote code execution by an attacker. Users should upgrade to version 4.2.1 to receive a patch.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openhab
openhab
≤ 4.2.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References