CVE-2023-41899

2023-10-1923:15:08

CWE-918

GitHub_M

web.nvd.nist.gov

home assistant

hassio.addon_stdin

vulnerability

cve-2023-41899

ssrf

security

ghsa-h2jp-7grc-9xpp

supervisor rest api

github security lab

ghsl-2023-162

nvd

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

25.6%

JSON

Home assistant is an open source home automation. In affected versions the hassio.addon_stdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-162.

Affected configurations

Nvd

Vulners

Node

home-assistanthome-assistantRange<2023.9.0

VendorProductVersionCPE
home-assistanthome-assistant*cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
home-assistant	home-assistant	*	cpe:2.3:a:home-assistant:home-assistant::::::::

CNA Affected

[
  {
    "vendor": "home-assistant",
    "product": "core",
    "versions": [
      {
        "version": "< 2023.9.0",
        "status": "affected"
      }
    ]
  }
]