All the vulnerabilites related to home-assistant - core
cve-2023-27482
Vulnerability from cvelistv5
Published
2023-03-08 00:00
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.3.2 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.elttam.com/blog/pwnassistant/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.3.2"
}
]
},
{
"product": "supervisor",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.03.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-17T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25"
},
{
"url": "https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/"
},
{
"url": "https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md"
},
{
"url": "https://www.elttam.com/blog/pwnassistant/"
}
],
"source": {
"advisory": "GHSA-2j8f-h4mr-qr25",
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27482",
"datePublished": "2023-03-08T00:00:00",
"dateReserved": "2023-03-01T00:00:00",
"dateUpdated": "2024-08-02T12:09:43.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41894
Vulnerability from cvelistv5
Published
2023-10-19 23:23
Modified
2024-09-12 15:03
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45 | x_refsource_CONFIRM | |
| https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:03:30.857229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:03:41.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669: Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T23:23:17.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"source": {
"advisory": "GHSA-wx3j-3v2j-rf45",
"discovery": "UNKNOWN"
},
"title": "Local-only webhooks externally accessible via SniTun in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41894",
"datePublished": "2023-10-19T23:23:17.909Z",
"dateReserved": "2023-09-04T16:31:48.225Z",
"dateUpdated": "2024-09-12T15:03:41.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41899
Vulnerability from cvelistv5
Published
2023-10-19 22:18
Modified
2024-09-12 15:10
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-162`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h | x_refsource_CONFIRM | |
| https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:10:25.403844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:10:42.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-162`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:18:31.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp"
}
],
"source": {
"advisory": "GHSA-4r74-h49q-rr3h",
"discovery": "UNKNOWN"
},
"title": "Partial Server-Side Request Forgery in Home Assistant Core "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41899",
"datePublished": "2023-10-19T22:18:31.224Z",
"dateReserved": "2023-09-04T16:31:48.226Z",
"dateUpdated": "2024-09-12T15:10:42.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44385
Vulnerability from cvelistv5
Published
2023-10-19 22:02
Modified
2024-09-12 15:13
Severity ?
EPSS score ?
Summary
The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:32.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:13:15.667825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:13:30.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:02:52.674Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp"
}
],
"source": {
"advisory": "GHSA-h2jp-7grc-9xpp",
"discovery": "UNKNOWN"
},
"title": "Client-Side Request Forgery in Home Assistant iOS/macOS native Apps"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44385",
"datePublished": "2023-10-19T22:02:52.674Z",
"dateReserved": "2023-09-28T17:56:32.613Z",
"dateUpdated": "2024-09-12T15:13:30.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50715
Vulnerability from cvelistv5
Published
2023-12-15 02:05
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.
When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.
However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83 | x_refsource_CONFIRM | |
| https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.12.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83"
},
{
"name": "https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.\n\nWhen starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.\n\nHowever, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T02:05:57.580Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83"
},
{
"name": "https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76"
}
],
"source": {
"advisory": "GHSA-jqpc-rc7g-vf83",
"discovery": "UNKNOWN"
},
"title": "User accounts disclosed to unauthenticated actors on the LAN"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50715",
"datePublished": "2023-12-15T02:05:57.580Z",
"dateReserved": "2023-12-11T17:53:36.029Z",
"dateUpdated": "2024-08-02T22:16:47.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41893
Vulnerability from cvelistv5
Published
2023-10-19 23:27
Modified
2024-09-12 15:02
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5 | x_refsource_CONFIRM | |
| https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:02:34.822643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:02:45.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T23:27:09.318Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"source": {
"advisory": "GHSA-qhhj-7hrc-gqj5",
"discovery": "UNKNOWN"
},
"title": "Account takeover via auth_callback login in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41893",
"datePublished": "2023-10-19T23:27:09.318Z",
"dateReserved": "2023-09-04T16:31:48.225Z",
"dateUpdated": "2024-09-12T15:02:45.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41895
Vulnerability from cvelistv5
Published
2023-10-19 22:37
Modified
2024-09-12 15:04
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `<link rel="redirect_uri" href="...">` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:04:24.286628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:04:43.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `\u003clink rel=\"redirect_uri\" href=\"...\"\u003e` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:37:23.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv"
}
],
"source": {
"advisory": "GHSA-jvxq-x42r-f7mv",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting via auth_callback login in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41895",
"datePublished": "2023-10-19T22:37:23.942Z",
"dateReserved": "2023-09-04T16:31:48.225Z",
"dateUpdated": "2024-09-12T15:04:43.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41898
Vulnerability from cvelistv5
Published
2023-10-19 22:08
Modified
2024-09-12 15:12
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:11:44.543324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:12:08.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:08:40.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg"
}
],
"source": {
"advisory": "GHSA-jvpm-q3hq-86rg",
"discovery": "UNKNOWN"
},
"title": " Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41898",
"datePublished": "2023-10-19T22:08:40.783Z",
"dateReserved": "2023-09-04T16:31:48.226Z",
"dateUpdated": "2024-09-12T15:12:08.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41897
Vulnerability from cvelistv5
Published
2023-10-19 22:23
Modified
2024-09-12 15:08
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw | x_refsource_CONFIRM | |
| https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q | x_refsource_MISC | |
| https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:08:36.794855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:08:55.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:23:32.278Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"source": {
"advisory": "GHSA-935v-rmg9-44mw",
"discovery": "UNKNOWN"
},
"title": "Lack of XFO header allows clickjacking in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41897",
"datePublished": "2023-10-19T22:23:32.278Z",
"dateReserved": "2023-09-04T16:31:48.226Z",
"dateUpdated": "2024-09-12T15:08:55.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41896
Vulnerability from cvelistv5
Published
2023-10-19 22:30
Modified
2024-09-12 15:06
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q | x_refsource_CONFIRM | |
| https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: Home Assistant Core : < 2023.8.0 Version: home-assistant-js-websocket: < 8.2.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:06:04.223766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:06:52.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "Home Assistant Core : \u003c 2023.8.0"
},
{
"status": "affected",
"version": "home-assistant-js-websocket: \u003c 8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code\u2019s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T22:30:49.623Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
},
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
}
],
"source": {
"advisory": "GHSA-cr83-q7r2-7f5q",
"discovery": "UNKNOWN"
},
"title": "Fake websocket server installation permits full takeover in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41896",
"datePublished": "2023-10-19T22:30:49.623Z",
"dateReserved": "2023-09-04T16:31:48.225Z",
"dateUpdated": "2024-09-12T15:06:52.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}