2 matches found
CVE-2021-41104 web_server allows OTA update without checking user defined basic auth username & password
ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...
CVE-2021-41104
ESPHome’s web_server in versions 2021.9.1 and earlier is vulnerable to OTA updates without validating the configured HTTP basic auth credentials. The root cause is that OTA update requests bypass the user-defined username/password check. The issue is fixed in version 2021.9.2; as a workaround, di...