homeassistant 2023.11.0b4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the homeassistant package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Validation of Certificate with Host Mismatch Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in `components/octoprint`, which uses custom Octoprint HTTP sessions. The default `ssl` parameter configuration uses the value `False` or `None`, which causes the SSL verification functionality to run and prevents information exposure. But in the Octoprint integration these default `SSLContext` settings can be bypassed by passing in `use-ssl=true`, which results in malicious connections appearing trusted and allowing MitM attacks. How to fix Improper Validation of Certificate with Host Mismatch? Upgrade `homeassistant` to version 2024.1.6 or higher.	[2023.9.0b0,2024.1.6)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure due to an issue with the login page, which discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. This could potentially allow an unauthorized actor to gain knowledge of all user accounts on the system. Notes: This applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. How to fix Information Exposure? Upgrade `homeassistant` to version 2023.12.3 or higher.	[,2023.12.3)

Vulnerability

Vulnerable Version

Improper Validation of Certificate with Host Mismatch

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in components/octoprint, which uses custom Octoprint HTTP sessions. The default ssl parameter configuration uses the value False or None, which causes the SSL verification functionality to run and prevents information exposure. But in the Octoprint integration these default SSLContext settings can be bypassed by passing in use-ssl=true, which results in malicious connections appearing trusted and allowing MitM attacks.

How to fix Improper Validation of Certificate with Host Mismatch?

Upgrade homeassistant to version 2024.1.6 or higher.

[2023.9.0b0,2024.1.6)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to an issue with the login page, which discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. This could potentially allow an unauthorized actor to gain knowledge of all user accounts on the system.

Notes:

This applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.

How to fix Information Exposure?

Upgrade homeassistant to version 2023.12.3 or higher.

[,2023.12.3)

homeassistant@2023.11.0b4 vulnerabilities

Open-source home automation platform running on Python 3.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically