CVE-2023-44385

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-44385

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-44385.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-44385

Aliases

GHSA-h2jp-7grc-9xpp

Published

2023-10-19T22:02:52.674Z

Modified

2026-04-16T04:11:52.862013Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Client-Side Request Forgery in Home Assistant iOS/macOS native Apps

Details

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.

Database specific

{
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/44xxx/CVE-2023-44385.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/home-assistant/core

Affected ranges

Type

GIT

Repo

https://github.com/home-assistant/core

Events

Introduced

Fixed

91ea14d9eb51f1e50f36363a566f99be0679bc93

Database specific

{
    "source": "CPE_FIELD",
    "cpe": [
        "cpe:2.3:a:home-assistant:home_assistant_companion:*:*:*:*:*:iphone_os:*:*",
        "cpe:2.3:a:home-assistant:home_assistant_companion:*:*:*:*:*:macos:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2023.7"
        }
    ]
}

Affected versions

0.*

0.103.0

0.103.0b0

0.103.0b1

0.103.1

0.103.2

0.103.3

0.103.4

0.103.5

0.103.6

0.104.0

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.105.4

0.105.5

0.106.0

0.106.1

0.106.2

0.106.3

0.106.4

0.106.5

0.106.6

0.107.0

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.107.6

0.107.7

0.108.0

0.108.1

0.108.2

0.108.3

0.108.4

0.108.5

0.108.6

0.108.7

0.108.8

0.108.9

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.110.0

0.110.1

0.110.2

0.110.3

0.110.4

0.110.5

0.110.6

0.110.7

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.112.0

0.112.1

0.112.2

0.112.3

0.112.4

0.112.5

0.113.0

0.113.1

0.113.2

0.113.3

0.114.0

0.114.1

0.114.2

0.114.3

0.114.4

0.115.0

0.115.1

0.115.2

0.115.3

0.115.4

0.115.5

0.115.6

0.116.0

0.116.1

0.116.2

0.116.3

0.116.4

0.117.0

0.117.1

0.117.2

0.117.3

0.117.4

0.117.5

0.117.6

0.118.0

0.118.1

0.118.2

0.118.3

0.118.4

0.118.5

0.28

0.7.6

0.81.1

2020.*

2020.12.0

2020.12.1

2020.12.2

2021.*

2021.1.0

2021.1.1

2021.1.2

2021.1.3

2021.1.4

2021.1.5

2021.10.0

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

2021.11.0

2021.11.1

2021.11.2

2021.11.3

2021.11.4

2021.11.5

2021.12.0

2021.12.1

2021.12.10

2021.12.2

2021.12.3

2021.12.4

2021.12.5

2021.12.6

2021.12.7

2021.12.8

2021.12.9

2021.2.0

2021.2.1

2021.2.2

2021.2.3

2021.3.0

2021.3.1

2021.3.2

2021.3.3

2021.3.4

2021.4.0

2021.4.1

2021.4.2

2021.4.3

2021.4.4

2021.4.5

2021.4.6

2021.5.0

2021.5.1

2021.5.2

2021.5.3

2021.5.4

2021.5.5

2021.6.0

2021.6.1

2021.6.2

2021.6.3

2021.6.4

2021.6.5

2021.6.6

2021.7.0

2021.7.1

2021.7.2

2021.7.3

2021.7.4

2021.8.0

2021.8.1

2021.8.2

2021.8.3

2021.8.4

2021.8.5

2021.8.6

2021.8.7

2021.8.8

2021.9.0

2021.9.1

2021.9.2

2021.9.3

2021.9.4

2021.9.5

2021.9.6

2021.9.7

2022.*

2022.10.0

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.11.0

2022.11.1

2022.11.2

2022.11.3

2022.11.4

2022.11.5

2022.12.0

2022.12.1

2022.12.2

2022.12.3

2022.12.4

2022.12.5

2022.12.6

2022.12.7

2022.12.8

2022.12.9

2022.2.0

2022.2.1

2022.2.2

2022.2.3

2022.2.4

2022.2.5

2022.2.6

2022.2.7

2022.2.8

2022.2.9

2022.3.0

2022.3.1

2022.3.2

2022.3.3

2022.3.4

2022.3.5

2022.3.6

2022.3.7

2022.3.8

2022.4.0

2022.4.1

2022.4.2

2022.4.3

2022.4.4

2022.4.5

2022.4.6

2022.4.7

2022.5.0

2022.5.1

2022.5.2

2022.5.3

2022.5.4

2022.5.5

2022.6.0

2022.6.1

2022.6.2

2022.6.3

2022.6.4

2022.6.5

2022.6.6

2022.6.7

2022.7.0

2022.7.1

2022.7.2

2022.7.3

2022.7.4

2022.7.5

2022.7.6

2022.7.7

2022.8.0

2022.8.1

2022.8.2

2022.8.3

2022.8.4

2022.8.5

2022.8.6

2022.8.7

2022.9.0

2022.9.1

2022.9.2

2022.9.3

2022.9.4

2022.9.5

2022.9.6

2022.9.7

2023.*

2023.1.0

2023.1.1

2023.1.2

2023.1.3

2023.1.4

2023.1.5

2023.1.6

2023.1.7

2023.2.0

2023.2.1

2023.2.2

2023.2.3

2023.2.4

2023.2.5

2023.3.0

2023.3.1

2023.3.2

2023.3.3

2023.3.4

2023.3.5

2023.3.6

2023.4.0

2023.4.1

2023.4.2

2023.4.3

2023.4.4

2023.4.5

2023.4.6

2023.5.0

2023.5.1

2023.5.2

2023.5.3

2023.5.4

2023.6.0

2023.6.1

2023.6.2

2023.6.3

Other

Last-Python2-release

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-44385.json"