{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42468", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-02T14:13:04.614Z", "datePublished": "2024-08-09T18:10:20.660Z", "dateUpdated": "2024-08-13T18:39:57.323Z"}, "containers": {"cna": {"title": "Path traversal (CometVisu)", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w"}, {"name": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2"}, {"name": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75", "tags": ["x_refsource_MISC"], "url": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75"}], "affected": [{"vendor": "openhab", "product": "openhab-webui", "versions": [{"version": "< 4.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-09T18:10:20.660Z"}, "descriptions": [{"lang": "en", "value": "openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. CometVisuServlet in versions prior to 4.2.1 is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This issue may lead to information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch."}], "source": {"advisory": "GHSA-pcwp-26pw-j98w", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "openhab", "product": "openhab_webui", "cpes": ["cpe:2.3:a:openhab:openhab_webui:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.2.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-13T18:39:19.637425Z", "id": "CVE-2024-42468", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T18:39:57.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42468", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-13T18:39:19.637425Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openhab:openhab_webui:*:*:*:*:*:*:*:*"], "vendor": "openhab", "product": "openhab_webui", "versions": [{"status": "affected", "version": "0", "lessThan": "4.2.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T18:39:53.666Z"}}], "cna": {"title": "Path traversal (CometVisu)", "source": {"advisory": "GHSA-pcwp-26pw-j98w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openhab", "product": "openhab-webui", "versions": [{"status": "affected", "version": "< 4.2.1"}]}], "references": [{"url": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w", "name": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2", "name": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75", "name": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. CometVisuServlet in versions prior to 4.2.1 is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This issue may lead to information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-09T18:10:20.660Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42468", "state": "PUBLISHED", "dateUpdated": "2024-08-13T18:39:57.323Z", "dateReserved": "2024-08-02T14:13:04.614Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-09T18:10:20.660Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openhab:openhab:*:*:*:*:*:*:*:*", "matchCriteriaId": "8140B9BF-E3FB-4946-80AE-90E607364AB2", "versionEndExcluding": "4.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. CometVisuServlet in versions prior to 4.2.1 is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This issue may lead to information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch."}, {"lang": "es", "value": "openHAB, un proveedor de software de automatizaci\u00f3n del hogar de c\u00f3digo abierto, tiene complementos que incluyen el complemento de visualizaci\u00f3n CometVisu. CometVisuServlet en versiones anteriores a la 4.2.1 es susceptible a una vulnerabilidad de Path Traversal no autenticada. Los archivos locales en el servidor se pueden solicitar a trav\u00e9s de HTTP GET en el CometVisuServlet. Este problema puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n. Los usuarios deben actualizar a la versi\u00f3n 4.2.1 del complemento CometVisu de openHAB para recibir un parche."}], "id": "CVE-2024-42468", "lastModified": "2024-09-12T16:01:42.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-12T13:38:34.970", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}