Home Assistant
CVE-2023-50715
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 4 pypi packages depend on homeassistant (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2023.12.3.
DescriptionNVD
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.
When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.
However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
AnalysisAI
Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. Affected products include: Home-Assistant. Version information: version 2023.12.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Home Assistant
View allhomeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotel
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks aga
Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exp
Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript th
Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploit
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markd
Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo
Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today