CVE-2021-21266 — MEDIUM (6.4)

Q: How severe is CVE-2021-21266?

CVE-2021-21266 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21266?

Check the references section above for vendor advisories and patch information. Affected products include: Openhab Openhab.

Vulnerability Description

openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation. The vulnerabilities have been fixed in versions 2.5.12 and 3.0.1 by a more strict configuration of the used XML parser.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Openhab	Openhab	< 2.5.12

Related Weaknesses (CWE)

CWE-611

References

https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213cThird Party Advisory
https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d8PatchThird Party Advisory
https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9PatchThird Party Advisory
https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxbTechnical DescriptionThird Party Advisory
https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213cThird Party Advisory
https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d8PatchThird Party Advisory
https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9PatchThird Party Advisory
https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxbTechnical DescriptionThird Party Advisory

FAQ

What is CVE-2021-21266?

CVE-2021-21266 is a vulnerability with a CVSS score of 6.4 (MEDIUM). openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same...

How severe is CVE-2021-21266?

CVE-2021-21266 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21266?

Check the references section above for vendor advisories and patch information. Affected products include: Openhab Openhab.