GHSA-48mj-p7x2-5jfm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-48mj-p7x2-5jfm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-48mj-p7x2-5jfm/GHSA-48mj-p7x2-5jfm.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-48mj-p7x2-5jfm
- Aliases
-
- CVE-2021-41104
- PYSEC-2021-351
- Published
- 2021-09-29T17:09:14Z
- Modified
- 2024-09-20T17:46:16.227939Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Basic auth bypass in esphome
- Details
-
Impact
Anyone with web_server enabled and HTTP basic auth configured on 2021.9.1 or older
web_serverallows OTA update without checking user defined basic auth username & passwordPatches
Patch released in 2021.9.2
Workarounds
Disable/remove
web_server - Database specific
{ "github_reviewed_at": "2021-09-28T21:10:08Z", "nvd_published_at": "2021-09-28T16:15:00Z", "cwe_ids": [ "CWE-306" ], "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm
- https://nvd.nist.gov/vuln/detail/CVE-2021-41104
- https://github.com/esphome/esphome/pull/2409
- https://github.com/esphome/esphome/commit/2234f6aacf8cc653307fed80f3750317a82c4f83
- https://github.com/esphome/esphome/commit/be965a60eba6bb769e2a5afdbc8eed132f077a59
- https://github.com/esphome/esphome
- https://github.com/esphome/esphome/releases/tag/2021.9.2
- https://github.com/pypa/advisory-database/tree/main/vulns/esphome/PYSEC-2021-351.yaml
Affected packages
PyPI / esphome
Package
- Name
- esphome
- View open source insights on deps.dev
- Purl
- pkg:pypi/esphome
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2021.9.2
Affected versions
1.*
1.10.1
1.11.0b1
1.11.0b2
1.11.0b3
1.11.0
1.11.1
1.11.2
1.12.0b1
1.12.0b2
1.12.0b3
1.12.0b4
1.12.0
1.12.1
1.12.2
1.13.0b1
1.13.0b2
1.13.0b3
1.13.0b4
1.13.0b5
1.13.0b6
1.13.0b7
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.14.0b1
1.14.0b2
1.14.0b3
1.14.0b4
1.14.0b5
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.15.0b1
1.15.0b2
1.15.0b3
1.15.0b4
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0b1
1.16.0b2
1.16.0b3
1.16.0b4
1.16.0b5
1.16.0b6
1.16.0b7
1.16.0b8
1.16.0
1.16.1
1.16.2
1.17.0b1
1.17.0
1.17.1
1.17.2
1.18.0b1
1.18.0b2
1.18.0b3
1.18.0b4
1.18.0
1.19.0b1
1.19.0b2
1.19.0b3
1.19.0b4
1.19.0b5
1.19.0b6
1.19.0b7
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.20.0b1
1.20.0b2
1.20.0b3
1.20.0b4
1.20.0b5
1.20.0b6
1.20.0
1.20.1
1.20.2
1.20.3
1.20.4
1.21.0b1
1.21.0b2
1.21.0b3
2021.*
2021.8.0
2021.8.1
2021.8.2
2021.9.0b1
2021.9.0b2
2021.9.0b3
2021.9.0b4
2021.9.0b5
2021.9.0
2021.9.1