CVE-2021-41104: Missing Authentication for Critical Function
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on or older is vulnerable to an issue in which web_server
allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched As a workaround, one may disable or remove web_server
.
References
- github.com/advisories/GHSA-48mj-p7x2-5jfm
- github.com/esphome/esphome/commit/be965a60eba6bb769e2a5afdbc8eed132f077a59
- github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e
- github.com/esphome/esphome/releases/tag/2021.9.2
- github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm
- nvd.nist.gov/vuln/detail/CVE-2021-41104
Detect and mitigate CVE-2021-41104 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →