Description
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. CometVisuServlet in versions prior to 4.2.1 is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This issue may lead to information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w
Patch x_refsource_misc
https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2
Scores
CVSS v3
5.3
EPSS
0.0155
EPSS Percentile
81.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
openhab/openhab
< 4.2.1
org.openhab.ui.bundles/org.openhab.ui.cometvisu
0 - 4.2.1Maven
Published
Aug 12, 2024
Tracked Since
Feb 18, 2026