Miggo Logo
Miggo Vulnerability Database
CVE-2024-42470

CVE-2024-42470: CometVisu Backend for openHAB has a sensitive information disclosure vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-42470
GHSA ID
GHSA-3g4c-hjhr-73rj
EPSS Score
0.33626%
CWE
CWE-862
Published
8/9/2024
Updated
8/12/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.openhab.ui.bundles:org.openhab.ui.cometvisumaven<= 4.2.04.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from REST endpoints missing authentication annotations. The patch added @RolesAllowed and security requirements to ConfigResource, FsResource, and MoveResource, indicating these were previously unprotected. Removed resources (LoginResource, ReadResource, WriteResource) showed deprecated endpoints that lacked authorization checks. The CWE-862 (Missing Authorization) and commit message referencing 'required authentication' confirm these functions were vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*v*r*l *n*points in t** *om*tVisu ***-on o* op*n*** *on't r*quir* *ut**nti**tion. T*is m*k*s it possi*l* *or un*ut**nti**t** *tt**k*rs to mo*i*y or to st**l s*nsitiv* **t*. ## Imp**t T*is issu* m*y l*** to s*nsitiv* In*orm*tion *is*losur*.

Reasoning

T** vuln*r**ility st*mm** *rom R*ST *n*points missin* *ut**nti**tion *nnot*tions. T** p*t** ***** @Rol*s*llow** *n* s**urity r*quir*m*nts to `*on*i*R*sour**`, `*sR*sour**`, *n* `Mov*R*sour**`, in*i**tin* t**s* w*r* pr*viously unprot**t**. R*mov** r*s