Details of VAR-202310-0843

ID

VAR-202310-0843

CVE

CVE-2023-41894

TITLE

Home Assistant Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-015262

DESCRIPTION

Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability

Trust: 1.71

sources: NVD: CVE-2023-41894 // JVNDB: JVNDB-2023-015262 // VULMON: CVE-2023-41894

AFFECTED PRODUCTS

vendor:	home assistant	model:	home-assistant	scope:	lt	version:	2023.9.0	Trust: 1.0
vendor:	home assistant	model:	home assistant	scope:	eq	version:	-	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	eq	version:	2023.9.0	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-015262 // NVD: CVE-2023-41894

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-41894
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2023-41894
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-41894
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2023-41894
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2023-41894
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-015262 // NVD: CVE-2023-41894 // NVD: CVE-2023-41894

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-669	Trust: 1.0
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-015262 // NVD: CVE-2023-41894

EXTERNAL IDS

db:	NVD	id:	CVE-2023-41894	Trust: 2.7
db:	JVNDB	id:	JVNDB-2023-015262	Trust: 0.8
db:	VULMON	id:	CVE-2023-41894	Trust: 0.1

sources: VULMON: CVE-2023-41894 // JVNDB: JVNDB-2023-015262 // NVD: CVE-2023-41894

REFERENCES

url:	https://github.com/home-assistant/core/security/advisories/ghsa-wx3j-3v2j-rf45	Trust: 1.9
url:	https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2023-41894	Trust: 0.8
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-41894 // JVNDB: JVNDB-2023-015262 // NVD: CVE-2023-41894

SOURCES

db:	VULMON	id:	CVE-2023-41894
db:	JVNDB	id:	JVNDB-2023-015262
db:	NVD	id:	CVE-2023-41894

LAST UPDATE DATE

2024-08-14T15:36:43.837000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-41894	date:	2023-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2023-015262	date:	2023-12-27T03:01:00
db:	NVD	id:	CVE-2023-41894	date:	2023-10-26T18:01:12.650

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-41894	date:	2023-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2023-015262	date:	2023-12-27T00:00:00
db:	NVD	id:	CVE-2023-41894	date:	2023-10-20T00:15:16.093