CVE-2021-21266 – XXE vulnerability in OpenHAB
https://notcve.org/view.php?id=CVE-2021-21266
openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation. • https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213c https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d82bb7e8b86 https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9r https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2020-5242 – openHAB exec add-ons allow remote arbitrary command execution
https://notcve.org/view.php?id=CVE-2020-5242
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls. openHAB versiones anteriores a 2.5.2, permite a un atacante remoto usar llamadas REST para instalar el enlace EXEC o el servicio de transformación EXEC y ejecutar comandos arbitrarios en el sistema con los privilegios del usuario que ejecuta openHAB. A partir de la versión 2.5.2, todos los comandos necesitan ser incluidos en una lista blanca en un archivo local que no puede ser cambiado mediante llamadas REST. • https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031 https://github.com/openhab/openhab-addons/security/advisories/GHSA-w698-693g-23hv • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •