CVE-2024-29019: Authentication bypass via Cross site request forgery

March 21, 2024

API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).

References

github.com/advisories/GHSA-5925-88xh-6h99
github.com/advisories/GHSA-9p43-hj5j-96h5
github.com/esphome/esphome
github.com/esphome/esphome/security/advisories/GHSA-5925-88xh-6h99
nvd.nist.gov/vuln/detail/CVE-2024-29019

Detect and mitigate CVE-2024-29019 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →