Vulnerability Description
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openhab | Openhab | < 2.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54PatchThird Party Advisory
- https://github.com/openhab/openhab-addons/security/advisories/GHSA-w698-693g-23hThird Party Advisory
- https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54PatchThird Party Advisory
- https://github.com/openhab/openhab-addons/security/advisories/GHSA-w698-693g-23hThird Party Advisory
FAQ
What is CVE-2020-5242?
CVE-2020-5242 is a vulnerability with a CVSS score of 7.7 (HIGH). openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user r...
How severe is CVE-2020-5242?
CVE-2020-5242 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5242?
Check the references section above for vendor advisories and patch information. Affected products include: Openhab Openhab.