Advisories for Pypi/Homeassistant package

2023

Exposure of Sensitive Information to an Unauthorized Actor

Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the …

Home Assistant vulnerable to account takeover via auth_callback login

Part of the Cure53 security audit of Home Assistant. The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this …

2022

Home Assistant information disclosure vulnerability

Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.