CVE-2022-24796 — CRITICAL (10.0)

Q: How severe is CVE-2022-24796?

CVE-2022-24796 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-24796?

Check the references section above for vendor advisories and patch information. Affected products include: Raspberrymatic Raspberrymatic.

Vulnerability Description

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Raspberrymatic	Raspberrymatic	>= 2.31.25.20180428, < 3.63.8.20220330

Related Weaknesses (CWE)

CWE-78

References

https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96PatchThird Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mPatchThird Party Advisory
https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96PatchThird Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mPatchThird Party Advisory

FAQ

What is CVE-2022-24796?

CVE-2022-24796 is a vulnerability with a CVSS score of 10.0 (CRITICAL). RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerabilit...

How severe is CVE-2022-24796?

CVE-2022-24796 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-24796?

Check the references section above for vendor advisories and patch information. Affected products include: Raspberrymatic Raspberrymatic.