Upgrade RHEL:8 kernel-zfcpdump to version 0:4.18.0-372.51.1.el8_6 or higher. This issue was patched in RHSA-2023:1554 .

esphome@1.18.0b3 vulnerabilities

ESPHome is a system to configure your microcontrollers by simple yet powerful configuration files and control them remotely through Home Automation systems.

latest version

2024.12.2

latest non vulnerable version

2024.12.2

first published

5 years ago

latest version published

18 days ago

licenses detected

MIT
[0,)

View esphome package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Path Traversal esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the `edit configuration file API` in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API. Notes: The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards. This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard. It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key. How to fix Path Traversal? Upgrade `esphome` to version 2024.2.1 or higher.	[,2024.2.1)
H Improper Authentication esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Improper Authentication. When `web_server` is enabled and HTTP basic auth configured, `web_server` allows over-the-air (OTA) updates without checking user-defined basic authentication such as the username and password. How to fix Improper Authentication? Upgrade `esphome` to version 2021.9.2 or higher.	[,2021.9.2)

Path Traversal

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the edit configuration file API in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API.

Notes:

The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.
This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.
It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

How to fix Path Traversal?

Upgrade esphome to version 2024.2.1 or higher.

[,2024.2.1)

Improper Authentication

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Improper Authentication. When web_server is enabled and HTTP basic auth configured, web_server allows over-the-air (OTA) updates without checking user-defined basic authentication such as the username and password.

How to fix Improper Authentication?

Upgrade esphome to version 2021.9.2 or higher.

[,2021.9.2)

Go back to all versions of this package