esphome@2023.2.0b1 vulnerabilities

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the edit configuration file API in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API.

Notes:

1. The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.

2. This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.

3. It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

Upgrade esphome to version 2024.2.1 or higher.