admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#675

Browse Source 
Auto-merge PR#675
This commit is contained in:
CVE Team 2021-02-01 09:40:21 -05:00 committed by GitHub
commit fb2c79ad3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 89 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
2021/21xxx/CVE-2021-21266.json
View File

@ -1,18 +1,101 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21266",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "XXE vulnerability in OpenHAB"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openhab-addons",
"version": {
"version_data": [
{
"version_value": "< 2.5.12"
},
{
"version_value": "= 3.0.0"
}
]
}
}
]
},
"vendor_name": "openhab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation.\n\nThe vulnerabilities have been fixed in versions 2.5.12 and 3.0.1 by a more strict configuration of the used XML parser."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9r",
"refsource": "CONFIRM",
"url": "https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9r"
},
{
"name": "https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213c",
"refsource": "MISC",
"url": "https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213c"
},
{
"name": "https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb",
"refsource": "MISC",
"url": "https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb"
},
{
"name": "https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d82bb7e8b86",
"refsource": "MISC",
"url": "https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d82bb7e8b86"
}
]
},
"source": {
"advisory": "GHSA-r2hc-pmr7-4c9r",
"discovery": "UNKNOWN"
}
}