Home > Vulnerability Database > CVE-2023-41894

Mend.io Vulnerability Database

CVE-2023-41894

Good to know:

Date: October 19, 2023

Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

5.3

Related Resources (4)

Url: https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45

Url: https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-41894

Url: https://www.mend.io/vulnerability-database/CVE-2023-41894

Severity Score

5.3

Weakness Type (CWE)

Incorrect Resource Transfer Between Spheres

CWE-669

Top Fix

Upgrade Version

Upgrade to version homeassistant - 2023.9.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-41894

Good to know:

Date: October 19, 2023

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?