Skip to main content

Home Assistant CVE-2023-50715

MEDIUM
Information Exposure (CWE-200)
2023-12-15 security-advisories@github.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 15, 2023 - 03:15 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on homeassistant (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 2023.12.3.

DescriptionNVD

Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.

When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.

However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.

AnalysisAI

Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. Affected products include: Home-Assistant. Version information: version 2023.12.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2023-27482 CRITICAL POC
10.0 Mar 08

homeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2023-41897 CRITICAL
9.6 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp

CVE-2023-41895 CRITICAL
9.6 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp

CVE-2021-3152 MEDIUM POC
5.3 Jan 26

Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks aga

CVE-2023-41896 CRITICAL
9.0 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exp

CVE-2026-33044 HIGH
7.3 Mar 27

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript th

CVE-2023-41899 HIGH
7.2 Oct 19

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploit

CVE-2017-16782 MEDIUM
6.1 Nov 10

In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markd

CVE-2023-41893 MEDIUM
5.4 Oct 20

Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo

CVE-2023-41894 MEDIUM
5.3 Oct 20

Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

Share

CVE-2023-50715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy