Lucene search

Veracode Vulnerability DatabaseVERACODE:45654

HistoryFeb 27, 2024 - 9:57 a.m.

Path Traversal

2024-02-2709:57:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

esphome

web server

path traversal

vulnerability

remote code execution

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

JSON

esphome is vulnerable to Path Traversal. The vulnerability is due to a lack of file extension validation within web_server.py. If the attacker can write arbitrary content to a file and the system processes that file as code, they might achieve Remote Code Execution (RCE).

CPENameOperatorVersion
esphomele2024.2.0b1
esphomele2024.2.0b1

CPE	Name	Operator	Version
	esphome	le	2024.2.0b1
	esphome	le	2024.2.0b1

References

github.com/esphome/esphome/commit/d814ed1d4adc71fde47c4df41215bee449884513

github.com/esphome/esphome/security/advisories/GHSA-8p25-3q46-8q2p

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

JSON

Related for VERACODE:45654