Sign-up

ID

VAR-202310-0696


CVE

CVE-2023-41899


TITLE

Home Assistant  Server-side request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-015261

DESCRIPTION

Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-162`. Home Assistant Contains a server-side request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-41899 // JVNDB: JVNDB-2023-015261 // VULMON: CVE-2023-41899

AFFECTED PRODUCTS

vendor:home assistantmodel:home-assistantscope:ltversion:2023.9.0

Trust: 1.0

vendor:home assistantmodel:home assistantscope:eqversion: -

Trust: 0.8

vendor:home assistantmodel:home assistantscope:eqversion:2023.9.0

Trust: 0.8

vendor:home assistantmodel:home assistantscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-015261 // NVD: CVE-2023-41899

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-41899
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2023-41899
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-41899
value: HIGH

Trust: 0.8

nvd@nist.gov: CVE-2023-41899
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2023-41899
baseSeverity: MEDIUM
baseScore: 6.6
vectorString: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.7
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-41899
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-015261 // NVD: CVE-2023-41899 // NVD: CVE-2023-41899

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.0

problemtype:Server-side request forgery (CWE-918) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-015261 // NVD: CVE-2023-41899

EXTERNAL IDS

db:NVDid:CVE-2023-41899

Trust: 2.7

db:JVNDBid:JVNDB-2023-015261

Trust: 0.8

db:VULMONid:CVE-2023-41899

Trust: 0.1

sources: VULMON: CVE-2023-41899 // JVNDB: JVNDB-2023-015261 // NVD: CVE-2023-41899

REFERENCES

url:https://github.com/home-assistant/core/security/advisories/ghsa-h2jp-7grc-9xpp

Trust: 1.9

url:https://github.com/home-assistant/core/security/advisories/ghsa-4r74-h49q-rr3h

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2023-41899

Trust: 0.8

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-41899 // JVNDB: JVNDB-2023-015261 // NVD: CVE-2023-41899

SOURCES

db:VULMONid:CVE-2023-41899
db:JVNDBid:JVNDB-2023-015261
db:NVDid:CVE-2023-41899

LAST UPDATE DATE

2024-08-14T14:01:34.615000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-41899date:2023-10-20T00:00:00
db:JVNDBid:JVNDB-2023-015261date:2023-12-27T03:01:00
db:NVDid:CVE-2023-41899date:2023-10-26T16:03:33.100

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-41899date:2023-10-19T00:00:00
db:JVNDBid:JVNDB-2023-015261date:2023-12-27T00:00:00
db:NVDid:CVE-2023-41899date:2023-10-19T23:15:08.787