openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
History

Thu, 12 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Openhab openhab
CPEs cpe:2.3:a:openhab:openhab:*:*:*:*:*:*:*:*
Vendors & Products Openhab openhab

Fri, 09 Aug 2024 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Openhab
Openhab openhab Webui
CPEs cpe:2.3:a:openhab:openhab_webui:*:*:*:*:*:*:*:*
Vendors & Products Openhab
Openhab openhab Webui
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 09 Aug 2024 18:15:00 +0000

Type Values Removed Values Added
Description openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Title CometVisu Backend for openHAB has a sensitive information disclosure vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-09T18:02:12.061Z

Updated: 2024-08-09T21:32:13.351Z

Reserved: 2024-08-02T14:13:04.615Z

Link: CVE-2024-42470

cve-icon Vulnrichment

Updated: 2024-08-09T21:31:40.634Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-12T13:38:35.440

Modified: 2024-09-12T16:04:23.273

Link: CVE-2024-42470

cve-icon Redhat

No data.