CVE-2023-41897 – Lack of XFO header allows clickjacking in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41897
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. • https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2023-41899 – Partial Server-Side Request Forgery in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41899
Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-27482
https://notcve.org/view.php?id=CVE-2023-27482
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. • https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25 https://www.elttam.com/blog/pwnassistant https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure • CWE-287: Improper Authentication •
CVE-2020-36517
https://notcve.org/view.php?id=CVE-2020-36517
An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. Una filtrado de información en Nabu Casa Home Assistant Operating System and Home Assistant Supervised versión 2022.03, permite que un operador de DNS obtenga conocimientos sobre los recursos de la red interna por medio de la configuración del DNS embebida • https://community.home-assistant.io/t/ha-os-dns-setting-configuration-not-respected/356572 https://github.com/home-assistant/plugin-dns/issues/17 https://github.com/home-assistant/plugin-dns/issues/20 https://github.com/home-assistant/plugin-dns/issues/22 https://github.com/home-assistant/plugin-dns/issues/50 https://github.com/home-assistant/plugin-dns/issues/51 https://github.com/home-assistant/plugin-dns/issues/53 https://github.com/home-assistant/plugin-dns/issues/54 https • CWE-203: Observable Discrepancy •
CVE-2021-3152
https://notcve.org/view.php?id=CVE-2021-3152
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation ** EN DISPUTADA ** Home Assistant versiones anteriores a 2021.1.3, no presenta una capa de protección que pueda ayudar a impedir ataques de saltos de directorio contra integraciones personalizadas. NOTA: la perspectiva del proveedor es que la vulnerabilidad en sí está en integraciones personalizadas escritas por terceros, no en Home Assistant; sin embargo, Home Assistant presenta una actualización de seguridad que vale la pena para abordar esta situación • https://www.home-assistant.io/blog/2021/01/14/security-bulletin https://www.home-assistant.io/blog/2021/01/22/security-disclosure • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •