esphome@2023.11.4 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

latest version

2024.10.3
latest non vulnerable version

2024.11.0b2
first published

6 years ago
latest version published

6 days ago
licenses detected
- MIT
  [0,)
View esphome package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Path Traversal esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the `edit configuration file API` in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API. Notes: The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards. This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard. It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key. How to fix Path Traversal? Upgrade `esphome` to version 2024.2.1 or higher.	[,2024.2.1)

Path Traversal

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the edit configuration file API in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API.

Notes:

The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.
This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.
It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

How to fix Path Traversal?

Upgrade esphome to version 2024.2.1 or higher.

[,2024.2.1)

Go back to all versions of this package

esphome@2023.11.4 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities