GHSA-48mj-p7x2-5jfm

Suggest an improvement
Source
https://github.com/advisories/GHSA-48mj-p7x2-5jfm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-48mj-p7x2-5jfm/GHSA-48mj-p7x2-5jfm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-48mj-p7x2-5jfm
Aliases
Published
2021-09-29T17:09:14Z
Modified
2024-09-20T17:48:56.657404Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Basic auth bypass in esphome
Details

Impact

Anyone with web_server enabled and HTTP basic auth configured on 2021.9.1 or older

web_server allows OTA update without checking user defined basic auth username & password

Patches

Patch released in 2021.9.2

Workarounds

Disable/remove web_server

References

Affected packages

PyPI / esphome

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2021.9.2

Affected versions

1.*

1.10.1
1.11.0b1
1.11.0b2
1.11.0b3
1.11.0
1.11.1
1.11.2
1.12.0b1
1.12.0b2
1.12.0b3
1.12.0b4
1.12.0
1.12.1
1.12.2
1.13.0b1
1.13.0b2
1.13.0b3
1.13.0b4
1.13.0b5
1.13.0b6
1.13.0b7
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.14.0b1
1.14.0b2
1.14.0b3
1.14.0b4
1.14.0b5
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.15.0b1
1.15.0b2
1.15.0b3
1.15.0b4
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0b1
1.16.0b2
1.16.0b3
1.16.0b4
1.16.0b5
1.16.0b6
1.16.0b7
1.16.0b8
1.16.0
1.16.1
1.16.2
1.17.0b1
1.17.0
1.17.1
1.17.2
1.18.0b1
1.18.0b2
1.18.0b3
1.18.0b4
1.18.0
1.19.0b1
1.19.0b2
1.19.0b3
1.19.0b4
1.19.0b5
1.19.0b6
1.19.0b7
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.20.0b1
1.20.0b2
1.20.0b3
1.20.0b4
1.20.0b5
1.20.0b6
1.20.0
1.20.1
1.20.2
1.20.3
1.20.4
1.21.0b1
1.21.0b2
1.21.0b3

2021.*

2021.8.0
2021.8.1
2021.8.2
2021.9.0b1
2021.9.0b2
2021.9.0b3
2021.9.0b4
2021.9.0b5
2021.9.0
2021.9.1