Vulnerability Description
The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rainmachine | Mini-8 Firmware | >= 4.0.539, <= 4.0.975 |
| Rainmachine | Mini-8 | - |
Related Weaknesses (CWE)
References
- http://www.irongeek.com/i.php?page=videos/bsidesrdu2018/bsidesrdu-2018-07-when-iExploitThird Party Advisory
- http://www.irongeek.com/i.php?page=videos/bsidesrdu2018/bsidesrdu-2018-07-when-iExploitThird Party Advisory
FAQ
What is CVE-2018-6012?
CVE-2018-6012 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function.
How severe is CVE-2018-6012?
CVE-2018-6012 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-6012?
Check the references section above for vendor advisories and patch information. Affected products include: Rainmachine Mini-8 Firmware, Rainmachine Mini-8.