Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-41899— Partial Server-Side Request Forgery in Home Assistant Core

CVSS 6.6 · Medium EPSS 0.17% · P38
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-41899

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Partial Server-Side Request Forgery in Home Assistant Core
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-162`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Home Assistant 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant Companion 2023.7之前版本存在安全漏洞,该漏洞源于组件hassio.addon_stdin存在服务器请求伪造(SSRF)漏洞。攻击者可利用该漏洞通过POST请求调用任何REST API端点。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
home-assistantcore < 2023.9.0 -

II. Public POCs for CVE-2023-41899

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-41899

登录查看更多情报信息。

Same Patch Batch · home-assistant · 2023-10-19 · 8 CVEs total

CVE-2023-418978.8 HIGHLack of XFO header allows clickjacking in Home Assistant Core
CVE-2023-418958.8 HIGHCross-site Scripting via auth_callback login in Home Assistant Core
CVE-2023-443858.6 HIGHClient-Side Request Forgery in Home Assistant iOS/macOS native Apps
CVE-2023-418988.6 HIGH Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for
CVE-2023-418967.1 HIGHFake websocket server installation permits full takeover in Home Assistant Core
CVE-2023-418945.3 MEDIUMLocal-only webhooks externally accessible via SniTun in Home Assistant Core
CVE-2023-418934.3 MEDIUMAccount takeover via auth_callback login in Home Assistant Core

IV. Related Vulnerabilities

Same product: core
Same vendor: home-assistant
Same weakness: CWE-918

V. Comments for CVE-2023-41899

No comments yet

Leave a comment