CVE-2023-41894

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-41894

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41894.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41894

Aliases

GHSA-wx3j-3v2j-rf45

Published

2023-10-19T23:23:17.909Z

Modified

2026-04-10T05:03:15.507226Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Local-only webhooks externally accessible via SniTun in Home Assistant Core

Details

Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the *.ui.nabu.casa URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41894.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-669"
    ]
}

References

Affected packages

Git / github.com/home-assistant/core

Affected ranges

Type

GIT

Repo

https://github.com/home-assistant/core

Events

Introduced

Fixed

f70469d6efad265beeae1b2da4f29e73263fe4a7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2023.9.0"
        }
    ]
}

Affected versions

0.*

0.103.0

0.103.0b0

0.103.0b1

0.103.1

0.103.2

0.103.3

0.103.4

0.103.5

0.103.6

0.104.0

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.105.4

0.105.5

0.106.0

0.106.1

0.106.2

0.106.3

0.106.4

0.106.5

0.106.6

0.107.0

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.107.6

0.107.7

0.108.0

0.108.1

0.108.2

0.108.3

0.108.4

0.108.5

0.108.6

0.108.7

0.108.8

0.108.9

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.110.0

0.110.1

0.110.2

0.110.3

0.110.4

0.110.5

0.110.6

0.110.7

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.112.0

0.112.1

0.112.2

0.112.3

0.112.4

0.112.5

0.113.0

0.113.1

0.113.2

0.113.3

0.114.0

0.114.1

0.114.2

0.114.3

0.114.4

0.115.0

0.115.1

0.115.2

0.115.3

0.115.4

0.115.5

0.115.6

0.116.0

0.116.1

0.116.2

0.116.3

0.116.4

0.117.0

0.117.1

0.117.2

0.117.3

0.117.4

0.117.5

0.117.6

0.118.0

0.118.1

0.118.2

0.118.3

0.118.4

0.118.5

0.28

0.7.6

0.81.1

2020.*

2020.12.0

2020.12.1

2020.12.2

2021.*

2021.1.0

2021.1.1

2021.1.2

2021.1.3

2021.1.4

2021.1.5

2021.10.0

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

2021.11.0

2021.11.1

2021.11.2

2021.11.3

2021.11.4

2021.11.5

2021.12.0

2021.12.1

2021.12.10

2021.12.2

2021.12.3

2021.12.4

2021.12.5

2021.12.6

2021.12.7

2021.12.8

2021.12.9

2021.2.0

2021.2.1

2021.2.2

2021.2.3

2021.3.0

2021.3.1

2021.3.2

2021.3.3

2021.3.4

2021.4.0

2021.4.1

2021.4.2

2021.4.3

2021.4.4

2021.4.5

2021.4.6

2021.5.0

2021.5.1

2021.5.2

2021.5.3

2021.5.4

2021.5.5

2021.6.0

2021.6.1

2021.6.2

2021.6.3

2021.6.4

2021.6.5

2021.6.6

2021.7.0

2021.7.1

2021.7.2

2021.7.3

2021.7.4

2021.8.0

2021.8.1

2021.8.2

2021.8.3

2021.8.4

2021.8.5

2021.8.6

2021.8.7

2021.8.8

2021.9.0

2021.9.1

2021.9.2

2021.9.3

2021.9.4

2021.9.5

2021.9.6

2021.9.7

2022.*

2022.10.0

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.11.0

2022.11.1

2022.11.2

2022.11.3

2022.11.4

2022.11.5

2022.12.0

2022.12.1

2022.12.2

2022.12.3

2022.12.4

2022.12.5

2022.12.6

2022.12.7

2022.12.8

2022.12.9

2022.2.0

2022.2.1

2022.2.2

2022.2.3

2022.2.4

2022.2.5

2022.2.6

2022.2.7

2022.2.8

2022.2.9

2022.3.0

2022.3.1

2022.3.2

2022.3.3

2022.3.4

2022.3.5

2022.3.6

2022.3.7

2022.3.8

2022.4.0

2022.4.1

2022.4.2

2022.4.3

2022.4.4

2022.4.5

2022.4.6

2022.4.7

2022.5.0

2022.5.1

2022.5.2

2022.5.3

2022.5.4

2022.5.5

2022.6.0

2022.6.1

2022.6.2

2022.6.3

2022.6.4

2022.6.5

2022.6.6

2022.6.7

2022.7.0

2022.7.1

2022.7.2

2022.7.3

2022.7.4

2022.7.5

2022.7.6

2022.7.7

2022.8.0

2022.8.1

2022.8.2

2022.8.3

2022.8.4

2022.8.5

2022.8.6

2022.8.7

2022.9.0

2022.9.1

2022.9.2

2022.9.3

2022.9.4

2022.9.5

2022.9.6

2022.9.7

2023.*

2023.1.0

2023.1.1

2023.1.2

2023.1.3

2023.1.4

2023.1.5

2023.1.6

2023.1.7

2023.2.0

2023.2.1

2023.2.2

2023.2.3

2023.2.4

2023.2.5

2023.3.0

2023.3.1

2023.3.2

2023.3.3

2023.3.4

2023.3.5

2023.3.6

2023.4.0

2023.4.1

2023.4.2

2023.4.3

2023.4.4

2023.4.5

2023.4.6

2023.5.0

2023.5.1

2023.5.2

2023.5.3

2023.5.4

2023.6.0

2023.6.1

2023.6.2

2023.6.3

2023.7.0

2023.7.1

2023.7.2

2023.7.3

2023.8.0

2023.8.1

2023.8.2

2023.8.3

2023.8.4

Other

Last-Python2-release

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41894.json"

Git / github.com/home-assistant/home-assistant

Affected ranges

Type

GIT

Repo

https://github.com/home-assistant/home-assistant

Events

Introduced

Fixed

f70469d6efad265beeae1b2da4f29e73263fe4a7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2023.9.0"
        }
    ]
}

Affected versions

0.*

0.103.0

0.103.0b0

0.103.0b1

0.103.1

0.103.2

0.103.3

0.103.4

0.103.5

0.103.6

0.104.0

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.105.4

0.105.5

0.106.0

0.106.1

0.106.2

0.106.3

0.106.4

0.106.5

0.106.6

0.107.0

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.107.6

0.107.7

0.108.0

0.108.1

0.108.2

0.108.3

0.108.4

0.108.5

0.108.6

0.108.7

0.108.8

0.108.9

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.110.0

0.110.1

0.110.2

0.110.3

0.110.4

0.110.5

0.110.6

0.110.7

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.112.0

0.112.1

0.112.2

0.112.3

0.112.4

0.112.5

0.113.0

0.113.1

0.113.2

0.113.3

0.114.0

0.114.1

0.114.2

0.114.3

0.114.4

0.115.0

0.115.1

0.115.2

0.115.3

0.115.4

0.115.5

0.115.6

0.116.0

0.116.1

0.116.2

0.116.3

0.116.4

0.117.0

0.117.1

0.117.2

0.117.3

0.117.4

0.117.5

0.117.6

0.118.0

0.118.1

0.118.2

0.118.3

0.118.4

0.118.5

0.28

0.7.6

0.81.1

2020.*

2020.12.0

2020.12.1

2020.12.2

2021.*

2021.1.0

2021.1.1

2021.1.2

2021.1.3

2021.1.4

2021.1.5

2021.10.0

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

2021.11.0

2021.11.1

2021.11.2

2021.11.3

2021.11.4

2021.11.5

2021.12.0

2021.12.1

2021.12.10

2021.12.2

2021.12.3

2021.12.4

2021.12.5

2021.12.6

2021.12.7

2021.12.8

2021.12.9

2021.2.0

2021.2.1

2021.2.2

2021.2.3

2021.3.0

2021.3.1

2021.3.2

2021.3.3

2021.3.4

2021.4.0

2021.4.1

2021.4.2

2021.4.3

2021.4.4

2021.4.5

2021.4.6

2021.5.0

2021.5.1

2021.5.2

2021.5.3

2021.5.4

2021.5.5

2021.6.0

2021.6.1

2021.6.2

2021.6.3

2021.6.4

2021.6.5

2021.6.6

2021.7.0

2021.7.1

2021.7.2

2021.7.3

2021.7.4

2021.8.0

2021.8.1

2021.8.2

2021.8.3

2021.8.4

2021.8.5

2021.8.6

2021.8.7

2021.8.8

2021.9.0

2021.9.1

2021.9.2

2021.9.3

2021.9.4

2021.9.5

2021.9.6

2021.9.7

2022.*

2022.10.0

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.11.0

2022.11.1

2022.11.2

2022.11.3

2022.11.4

2022.11.5

2022.12.0

2022.12.1

2022.12.2

2022.12.3

2022.12.4

2022.12.5

2022.12.6

2022.12.7

2022.12.8

2022.12.9

2022.2.0

2022.2.1

2022.2.2

2022.2.3

2022.2.4

2022.2.5

2022.2.6

2022.2.7

2022.2.8

2022.2.9

2022.3.0

2022.3.1

2022.3.2

2022.3.3

2022.3.4

2022.3.5

2022.3.6

2022.3.7

2022.3.8

2022.4.0

2022.4.1

2022.4.2

2022.4.3

2022.4.4

2022.4.5

2022.4.6

2022.4.7

2022.5.0

2022.5.1

2022.5.2

2022.5.3

2022.5.4

2022.5.5

2022.6.0

2022.6.1

2022.6.2

2022.6.3

2022.6.4

2022.6.5

2022.6.6

2022.6.7

2022.7.0

2022.7.1

2022.7.2

2022.7.3

2022.7.4

2022.7.5

2022.7.6

2022.7.7

2022.8.0

2022.8.1

2022.8.2

2022.8.3

2022.8.4

2022.8.5

2022.8.6

2022.8.7

2022.9.0

2022.9.1

2022.9.2

2022.9.3

2022.9.4

2022.9.5

2022.9.6

2022.9.7

2023.*

2023.1.0

2023.1.1

2023.1.2

2023.1.3

2023.1.4

2023.1.5

2023.1.6

2023.1.7

2023.2.0

2023.2.1

2023.2.2

2023.2.3

2023.2.4

2023.2.5

2023.3.0

2023.3.1

2023.3.2

2023.3.3

2023.3.4

2023.3.5

2023.3.6

2023.4.0

2023.4.1

2023.4.2

2023.4.3

2023.4.4

2023.4.5

2023.4.6

2023.5.0

2023.5.1

2023.5.2

2023.5.3

2023.5.4

2023.6.0

2023.6.1

2023.6.2

2023.6.3

2023.7.0

2023.7.1

2023.7.2

2023.7.3

2023.8.0

2023.8.1

2023.8.2

2023.8.3

2023.8.4

Other

Last-Python2-release

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41894.json"