目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2023-50715— Home Assistant 信息泄露漏洞

CVSS 4.3 · Medium EPSS 0.91% · P56
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2023-50715 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
User accounts disclosed to unauthenticated actors on the LAN
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
信息暴露
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Home Assistant 信息泄露漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Home Assistant是Home Assistant开源的一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant 2023.12.3之前版本存在信息泄露漏洞,该漏洞源于login页面存在信息泄露,会向来自局域网的任何未经身份验证的浏览请求披露所有活跃用户帐户。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
home-assistantcore < 2023.12.3 -

二、漏洞 CVE-2023-50715 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2023-50715 的情报信息

登录查看更多情报信息。

CVE-2023-50715 补丁与修复 (1)

CVE-2023-50715 厂商安全公告 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2023-50715

暂无评论


发表评论