CVE-2023-44385

2023-10-1923:15:08

CWE-352

[email protected]

web.nvd.nist.gov

cve-2023-44385

home assistant companion

ios

macos

client-side request forgery

vulnerability

ghsl-2023-161

nvd

upgrade

security advisory

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.5%

JSON

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.

Affected configurations

Vulners

NVD

Node

home-assistanthome-assistantRange<2023.7

VendorProductVersionCPE
home\-assistanthome\-assistant*cpe:2.3:a:home\-assistant:home\-assistant:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
home\-assistant	home\-assistant	*	cpe:2.3:a:home\-assistant:home\-assistant::::::::

CNA Affected

[
  {
    "vendor": "home-assistant",
    "product": "core",
    "versions": [
      {
        "version": "< 2023.7",
        "status": "affected"
      }
    ]
  }
]