[MAVEN:GHSA-PCWP-26PW-J98W] CometVisu Backend for openHAB has a path traversal vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

openHAB's CometVisuServlet is susceptible to an unauthenticated path traversal vulnerability.

Local files on the server can be requested via HTTP GET on the CometVisuServlet.

This vulnerability was discovered with the help of CodeQL's Uncontrolled data used in path expression query.

Impact

This issue may lead to Information Disclosure.

Package	Affected Version
pkg:maven/org.openhab.ui.bundles/org.openhab.ui.cometvisu	<= 4.2.0

Package	Fixed Version
pkg:maven/org.openhab.ui.bundles/org.openhab.ui.cometvisu	= 4.2.1

Source	# ID	Name	URL
			https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w
			https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2
			https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75
			https://github.com/advisories/GHSA-pcwp-26pw-j98w

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.openhab.ui.bundles/org.openhab.ui.cometvisu	org.openhab.ui.bundles	org.openhab.ui.cometvisu	<= 4.2.0
Fixed	pkg:maven/org.openhab.ui.bundles/org.openhab.ui.cometvisu	org.openhab.ui.bundles	org.openhab.ui.cometvisu	= 4.2.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date