CVE-2024-42467: 
Java vulnerability analysis and mitigation

OpenHAB's CometVisu add-on, prior to version 4.2.1, contains a critical security vulnerability (CVE-2024-42467) where the proxy endpoint can be accessed without authentication. This vulnerability was discovered in early 2024 and affects the visualization component of the open-source home automation software (GitHub Advisory, NVD).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) issue. The proxy endpoint allows unauthenticated GET HTTP requests to internal-only servers when openHAB is exposed in a non-private network. The CVSS v3.1 score is 10.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating the highest severity level (NVD).

The vulnerability enables attackers to execute malicious JavaScript code with the origin of the CometVisu UI, potentially leading to Remote Code Execution (RCE) when chained with other vulnerabilities. Attackers can exploit endpoints on an openHAB server even if it's located in a private network, for example, by sending an openHAB admin a link that proxies malicious JavaScript (Security Lab).

Users should upgrade to CometVisu add-on version 4.2.1 or later, which includes a patch for this vulnerability. The fix was implemented through a security update that adds required authentication for REST endpoints and includes additional sanity checks to improve security (GitHub Commit).