Home Assistant
CVE-2023-41893
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 pypi packages depend on homeassistant (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2023.9.0.
DescriptionNVD
Home assistant is an open source home automation. The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s access_token the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a redirect_uri that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in redirect_uri, which can then be leveraged to fetch an access_token. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to homeassistant.local, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Home assistant is an open source home automation. The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s access_token the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a redirect_uri that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in redirect_uri, which can then be leveraged to fetch an access_token. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to homeassistant.local, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Home-Assistant. Version information: version 2023.9.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Home Assistant
View allhomeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotel
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks aga
Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exp
Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authe
Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript th
Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploit
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markd
Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today