The GitHub Security Lab team has identified potential security vulnerabilities in Home Assistant.
Summary
The hassio.addon_stdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through this vulnerability) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values.
Impact
This issue may lead to Remote Code Execution.
Credit
These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-162
pwntester Finder
The GitHub Security Lab team has identified potential security vulnerabilities in Home Assistant.
Summary
The
hassio.addon_stdinis vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through this vulnerability) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control thedatadictionary, including itsaddonandinputkey/values.Impact
This issue may lead to Remote Code Execution.
Credit
These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2023-162