PYSEC-2021-351

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/esphome/PYSEC-2021-351.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2021-351
Aliases
Published
2021-09-28T16:15:00Z
Modified
2023-11-08T04:06:51.299405Z
Summary
[none]
Details

ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which web_server allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove web_server.

References

Affected packages

PyPI / esphome

Package

Name
esphome
View open source insights on deps.dev
Purl
pkg:pypi/esphome

Affected ranges

Type
GIT
Repo
https://github.com/esphome/esphome
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2234f6aacf8cc653307fed80f3750317a82c4f83
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2021.9.2

Affected versions

1.*

1.10.1
1.11.0b1
1.11.0b2
1.11.0b3
1.11.0
1.11.1
1.11.2
1.12.0b1
1.12.0b2
1.12.0b3
1.12.0b4
1.12.0
1.12.1
1.12.2
1.13.0b1
1.13.0b2
1.13.0b3
1.13.0b4
1.13.0b5
1.13.0b6
1.13.0b7
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.14.0b1
1.14.0b2
1.14.0b3
1.14.0b4
1.14.0b5
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.15.0b1
1.15.0b2
1.15.0b3
1.15.0b4
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0b1
1.16.0b2
1.16.0b3
1.16.0b4
1.16.0b5
1.16.0b6
1.16.0b7
1.16.0b8
1.16.0
1.16.1
1.16.2
1.17.0b1
1.17.0
1.17.1
1.17.2
1.18.0b1
1.18.0b2
1.18.0b3
1.18.0b4
1.18.0
1.19.0b1
1.19.0b2
1.19.0b3
1.19.0b4
1.19.0b5
1.19.0b6
1.19.0b7
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.20.0b1
1.20.0b2
1.20.0b3
1.20.0b4
1.20.0b5
1.20.0b6
1.20.0
1.20.1
1.20.2
1.20.3
1.20.4
1.21.0b1
1.21.0b2
1.21.0b3

2021.*

2021.8.0
2021.8.1
2021.8.2
2021.9.0b1
2021.9.0b2
2021.9.0b3
2021.9.0b4
2021.9.0b5
2021.9.0
2021.9.1