Lucene search

[email protected]CVE-2023-41899

HistoryOct 19, 2023 - 11:15 p.m.

CVE-2023-41899

2023-10-1923:15:08

CWE-918

[email protected]

web.nvd.nist.gov

home assistant

hassio.addon_stdin

vulnerability

cve-2023-41899

ssrf

security

ghsa-h2jp-7grc-9xpp

supervisor rest api

github security lab

ghsl-2023-162

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.5%

JSON

Home assistant is an open source home automation. In affected versions the hassio.addon_stdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-162.

Affected configurations

Vulners

NVD

Node

home-assistanthome-assistantRange<2023.9.0

VendorProductVersionCPE
home\-assistanthome\-assistant*cpe:2.3:a:home\-assistant:home\-assistant:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
home\-assistant	home\-assistant	*	cpe:2.3:a:home\-assistant:home\-assistant::::::::

CNA Affected

[
  {
    "vendor": "home-assistant",
    "product": "core",
    "versions": [
      {
        "version": "< 2023.9.0",
        "status": "affected"
      }
    ]
  }
]