Vulnerabilities > CVE-2020-5242 - Incorrect Authorization vulnerability in Openhab

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

openhab

CWE-863

critical

NVD

Published: 2020-02-20

Updated: 2020-02-26

Summary

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls.

Vulnerable Configurations

Part	Description	Count
Application	Openhab Openhab Openhab *	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031
https://github.com/openhab/openhab-addons/security/advisories/GHSA-w698-693g-23hv