{"id":"CVE-2020-5242","details":"openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls.","modified":"2026-04-11T13:53:21.926586Z","published":"2020-02-20T23:15:20.723Z","related":["GHSA-w698-693g-23hv"],"references":[{"type":"ADVISORY","url":"https://github.com/openhab/openhab-addons/security/advisories/GHSA-w698-693g-23hv"},{"type":"FIX","url":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openhab/openhab-addons","events":[{"introduced":"0"},{"fixed":"4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"}]},{"type":"GIT","repo":"https://github.com/openhab/openhab-webui","events":[{"introduced":"0"},{"fixed":"76c75a2098754135924370fd77e869f57ee91c8d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.2"}]}}],"versions":["2.0.0-alpha1","2.0.0-alpha2","2.0.0.b2","2.0.0.b4","2.0.0.beta1","2.0.0.beta2","2.5.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T13:53:21Z","vanir_signatures":[{"target":{"function":"transform","file":"bundles/org.openhab.transform.exec/src/main/java/org/openhab/transform/exec/internal/ExecTransformationService.java"},"signature_version":"v1","digest":{"function_hash":"304822035043031129002935998192794563283","length":528},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-1267729f","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecBindingConstants.java"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["208222893028005549479302135217481618070","179695334282840990356401671441545915767","196785228490730090259850949983455178197","127561353786086349915727147953081916962","276312666127056521453583757086688105996","69281038280440463166514755547962664899"]},"deprecated":false,"signature_type":"Line","id":"CVE-2020-5242-2c6eee89","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"createHandler","file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecHandlerFactory.java"},"signature_version":"v1","digest":{"function_hash":"37643124392136742223172402995496857346","length":159},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-340abbb5","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"file":"bundles/org.openhab.transform.exec/src/main/java/org/openhab/transform/exec/internal/profiles/ExecTransformationProfile.java"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["161003081396631706889084574339257747344","29543434001920242298319304720712269750","24986390441675180198059326536133977496","190518882693454846164708956056123207294","50967713769485714042902308615236194403","192549192016125956011357102716446044654","74557323952878512284441961262186976365","281970538961242709417482023416960015496","55567931470044475984681436894718797802","175601516939498248036809421069089587478","42849846767736374590674071727588294250","57127538442899145735073647056339552791","112893179949515004766923591012332341219","328297477232105100167857299505327861192","82350047337745235364488492572743198556","19377107233502109903648347963112368586","308276979208323125863697952896070798583","217774436287657726261311836896815304268","29226347942028733208654330899285392955","199998775625089861004049228251261215053","311237055180313163365991864847787638882","34257138940100616031124359280350950944","36902267069835419770836831413261613158","209868432576694951114756997737861124645"]},"deprecated":false,"signature_type":"Line","id":"CVE-2020-5242-4a66af90","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"ExecHandler","file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java"},"signature_version":"v1","digest":{"function_hash":"168686047922468626920214361365486149710","length":126},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-5996ce55","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecHandlerFactory.java"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["280361597073389897023355476694864653733","22311593675626947539094762917842680500","52545582524237501539748437972871784691","46497471895965157013401708952138437386","225517163386652557647371104429122790328","275533226074060375170339697981554808905","19794104646056125340765009955042875691","108232799426757219603366928547384191645","75382163966171865753769556347587346268","73983797820369927079107769244995022336","231359008451808759462818978954905559108","79075401714448096889942509643974579366","3552988211736568120322018211453434319","60402622432844929719152796530344773592","214182834014531487585017122002990874479","304230380424034297236044730039887171767","89497330388888584855377674225247491388"]},"deprecated":false,"signature_type":"Line","id":"CVE-2020-5242-60574b2d","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["3861042055719238593393821298139093587","292864058640957657236894297834574785839","140972828178668432011039767379771741904","287778516187511912869170064441197380842","142224716270172437515162845454898173876","322359231825802786402992387024990066440","122750161465847727270576890912445233313","21453129225602184036892794551977085406","330203346930904956839751656533902801207","326365877939305197351779952412268433307","157268747545778075679979390110554040494","26298828273015887081794934621413958656","16407738849083336230488065686614232035","157103812846769973966933870560991210333","5677193380755294807707010034366670670","100673544971692458318007984871477284153","225947541051433760712050144014075279296","2576091510267689130850043474085750132","264103043938176788396034592329953817517","260694781421554912145931009865948203962","1943981993147375835032989174747064515","228238678262902499233093894986389097541","115151611092658839546813402792177629191","214511073045751815454947263204316363846","208642677666869043098905452442438933834","90896179323143378521924775214060524455","154430139008142469864402044969043958858","88225866552747869452861566471183397414","55849718497130446956817967116684628283","313126694568205663633161007345773846045","277973235142469064271127171242612556222","329699456727815907831189772331148779755","264887674946333823370150690310034443648","164183785040498619283290128650293550553","127619191173783464614749718685803476202","258264770749635263111744407958255405608","75876742527282285181536472245035770108","63645169952900335083365726638530733688","33272517761508206242608249741942424170","220157023612361810622045675128232235424","101093527863384658368756592607257591899","169286801110116800737438549400911925729","137252385495181301594750933552397655646","297687278453186131935090528235951515835","183275205808918776068458375988709063698","329429293386387013959745115060427719423","88813778070695812065594443155220922819","173569684936077790031247129147006424989","256713700891597581368573178089080843719","292874710329807928180485906177375272189","80205403878718023776974915170692031936","73084489820046930805469910257171421289","210815783386214920417652542439602695182","198154776965443393079048129706023905743","271744585268018645508411589204039811975","129023962603707795746982898370158459583","100346977023275544829421538302554965646","338698480409832582969656906079666804529","66323050666788263467136131386599645292","270481259864919431503082766856139115102","69580732250781454671843945961801226206","197297369513676316380977442802578604746","284335427483464910902937243710451475755","113114921034888413312953489883586436239","326216778639472215886040794544320936591","219586468980120546416301026529972330316","24323983581123569734617115757539396997","119467983093693316701367782162121534908","159071290538770810543212336040658627512","294465699046457824955975581444370037578","169286104534469972018697583933688871296","61713968686261412408091133766942502102","6664233085546122279713838019741479051","206994547535371566978351804001947323164","297183502453363398423678266495390144315","227949472640516471539699973019459651656","299973646004290336428849185818694046240","162611004476113210735907521008244755735","67500744839960583400953270807769700586","134965849649886067370186367378451559206","169620106635981759194003280896557097355","38892450995294608501363637879872529236","223612757181499194033569324741716298836","221607958540310402818517247969847376139","227244874348946035662801677439245230859","16161497221276527816392374163643634732","277106458062068229395438804118371724302","312698649287738313070517105014129734267","290998165823485188559905170745878123430","273513156843969356476085975062059657898","271653786561553704694928754501012225476","307194520705243799854493257091052652196","219590293063849588226937473011396309369","264709159413492192987924755627245411075","8789501440200506430948353961724167713","250949971975662246519145897012080385809","211861908148964076002191076693361460464","176763199940312995686595206200264623111","300315570702061014749027965015370495143","144691941090748497877851903665164857599","162932031872474844530129846848387594617","68756591028350737109601705123201053849","323592633739283718469601510227078922880","2284795399778193313220781599583868639","58819073666665426405250406112579509634","58799894514778215416431030141117888656","76410923452460839554893819817457374532","215948158751862905223007485975477160650","80522604499645803995587352243097725075","27529460775545133958658848349604591095","231477451253740445657732890724034667389","85869887776183061402186981457781172398","34144364350257414552785496791311584335","26875643533607526982813847079321697126","152567279741340828955713848260424237283","336744534119389531870301118601580641729","156420697294104513721522942153227138806","270848836731300277937725026967456632853","284036381213160745497176772950240257533","86393718191295306999148201041309115406","305052859322785056822711269689016030871","336431922239153406929607547642434746819","119943978057214886950725730188160954700","212376427584451570625947244327757624741","277106458062068229395438804118371724302","261225020970635882090394779567763414529","273316139640418456619330777913536657322","333654888851704206843270212823400426608","17124410440366674841272362581557626724","254398629733730832410971345374145261283","178243489683068262643053395564164008488","45145415657158959062102248539629169526","296685609597656893199645967254549095106","123756073720133235521830604752016569824","91236699278045366261578488793986397144","138024157128533621219306283600280630763","74552941451086112190045354191960203554","130076190137044013298896081830980276194","96335729840202414490135934383766641267","299075033760960162433992626022165610789","336389969962553954548805862085654354569","61056080190290132048515520300768501269","309077901365120046456499029416208343720","233388263283564946603882774283113025060","127933123105098355190692561666808458756","188318390467219267192810154765776314687","82980036256386494241534842390416876755","70565317535111845569593630286927844341","13456693276078002527176893347285043872","292145387693277058428876835290448259407","323246905900897781805488955909797834154","99722681675239394886104876738157489984","313250466244739976332123749555585079199","142450994063220473297769114620116074754","104639441476249521649950701324615736585","240073300808688579400162773173699323141","209031714768611549334958457032758916471","110719072370856791479510466046663843457","203033824295681752993532025121254987750","231675195180754189085341134146588926621","182523003662139334247106394622245011193","283799309820787577358353135383835522770","184592808835645268842990385515940299043","32120734661934692784033554449239045272","62279222943681189850066097315242929867","88091819463654745823759405497852676808","45887914314348104361671142843382535665","25049715535759874952697189378110890415","325770530526326571699422125424137790134","206054881448128196562700824688897303617","144704513802179234427757742998129456364","195480548648156526469726635787095687183","145378564935337354826845183493039046185","275144650710417090783271465305106650932","150068739292024456253664823169875359978","296660628798515882107890825825282547074","72252962858891457496177490070509175317","252846849161929087100025259873091472935","110959990285770941744670394982309055810","307464091381681640328526068570100930943","223857626549546291595860995854734841583","156189835221760130777576653100063387308","274382350414727536671938549663600734928","54102775522846232263226497016046702403","214756191884049718621012926791447692368","298367124397434499669894737734872629436","53084764624605844201561024697289731397","16507604773195879907136699652592769216","169806390250847044408435834365487102596","285865757310833765098062908286981440149","182684579132240369742272240272545962847","23340272017562169197664343612668283655","162323551901464396479540989411228791380","333811544340713437486280512337989675955","110227462250224073123723935581030221712","301376810116930771082093978208910182206","96124724160495516371011710260428132313","131867431002138066537274719033747431731","251342807462582017846399804930253910638","232044129969259762780959883099758068554","171285901770589864827509241665218458200","97031543413845382552657493431348121320","124851406926397933767914236614555227566","144030509246516852781426214660025341453"]},"deprecated":false,"signature_type":"Line","id":"CVE-2020-5242-7bf63f15","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"handleCommand","file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java"},"signature_version":"v1","digest":{"function_hash":"129312197812918069128602436689318474465","length":843},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-aba6586b","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"initialize","file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java"},"signature_version":"v1","digest":{"function_hash":"109590553410168628767012233589719814606","length":443},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-d3b770e9","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"file":"bundles/org.openhab.transform.exec/src/main/java/org/openhab/transform/exec/internal/ExecTransformationService.java"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["173664531254992736412085126046848038941","152833345797626256525164525748555095095","120279590757800879816517303517005981227","178336782985251507690764471688626492492","277429541216251860327004729844636349095","80824729847454047286081903361500649039","281938025590427518547671722698688632603","219099474125893046024736407547183106565","152475985194720122469036427185047575873","149246856672825191357912935835343937192","187934536110558015561018872265231653726","172649749125006843135284373136319956734","246821031206767892506963656539515759719","29299249944911098834388742459756200251","201903971926494866709024648389267082217"]},"deprecated":false,"signature_type":"Line","id":"CVE-2020-5242-df52a9ed","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"run","file":"bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java"},"signature_version":"v1","digest":{"function_hash":"88388151900443561984043544032827920445","length":4267},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-f34be299","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"},{"target":{"function":"transformState","file":"bundles/org.openhab.transform.exec/src/main/java/org/openhab/transform/exec/internal/profiles/ExecTransformationProfile.java"},"signature_version":"v1","digest":{"function_hash":"132526771470036568893803210672300769051","length":456},"deprecated":false,"signature_type":"Function","id":"CVE-2020-5242-f5ca3d34","source":"https://github.com/openhab/openhab-addons/commit/4c4cb664f2e2c3866aadf117d22fb54aa8dd0031"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5242.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}