VulnerableCode Package Details - pkg:pypi/homeassistant@2022.8.0b2

Search for packages

Vulnerability	Summary	Fixed by
VCID-pww9-arp9-4qa8 Aliases: CVE-2023-41893 GHSA-qhhj-7hrc-gqj5 PYSEC-2023-214	Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.	2023.9.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-pww9-arp9-4qa8
Aliases:
CVE-2023-41893
GHSA-qhhj-7hrc-gqj5
PYSEC-2023-214

Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

2023.9.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:33:06.280425+00:00	Pypa Importer	Affected by	VCID-pww9-arp9-4qa8	https://github.com/pypa/advisory-database/blob/main/vulns/homeassistant/PYSEC-2023-214.yaml	38.6.0

2026-05-30T20:33:06.280425+00:00

Pypa Importer

Affected by

VCID-pww9-arp9-4qa8

https://github.com/pypa/advisory-database/blob/main/vulns/homeassistant/PYSEC-2023-214.yaml

38.6.0

Next non-vulnerable version	2023.9.0
Latest non-vulnerable version	2023.9.0
Risk