3 results (0.011 seconds)

CVSS: 10.0EPSS: 14%CPEs: 2EXPL: 0

homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. • https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25 https://www.elttam.com/blog/pwnassistant https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure • CWE-287: Improper Authentication •

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation ** EN DISPUTA ** En Supervisor hasta la versión 4.0.2, un usuario no autenticado puede leer archivos de registro o reiniciar un servicio. Nota: El responsable de mantenimiento respondió que el componente afectado, inet_http_server, no está habilitado de manera predeterminada, pero si el usuario lo habilita y no establece una contraseña, Supervisor registra un mensaje de advertencia. El responsable de mantenimiento indicó que la capacidad de ejecutar un servidor abierto no se eliminará, pero se agregó una advertencia adicional a la documentación. • http://supervisord.org/configuration.html#inet-http-server-section-settings https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e72398437df3dcb https://github.com/Supervisor/supervisor/issues/1245 • CWE-306: Missing Authentication for Critical Function •

CVSS: 9.0EPSS: 97%CPEs: 18EXPL: 3

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. El servidor XML-RPC en supervisor en versiones anteriores a la 3.0.1, 3.1.x en versiones anteriores a la 3.1.4, 3.2.x en versiones anteriores a la 3.2.4, y 3.3.x en versiones anteriores a la 3.3.3 permite que atacantes remotos autenticados ejecuten comandos arbitrarios mediante una petición XML-RPC, relacionada con búsquedas de espacio de nombres supervisor anidados. A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. • https://www.exploit-db.com/exploits/42779 https://github.com/yaunsky/CVE-2017-11610 https://github.com/ivanitlearning/CVE-2017-11610 http://www.debian.org/security/2017/dsa-3942 https://access.redhat.com/errata/RHSA-2017:3005 https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.3. • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-276: Incorrect Default Permissions •