esphome@2023.11.4 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

Direct Vulnerabilities

Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Path Traversal

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the edit configuration file API in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API.

Notes:

  1. The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.

  2. This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.

  3. It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

How to fix Path Traversal?

Upgrade esphome to version 2024.2.1 or higher.

[,2024.2.1)