CVE-2021-41104 - OpenCVE

ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Esphome	Esphome Firmware
Espressif	Esp32 Esp8266

Configuration 1 [-]

AND

cpe:2.3:o:esphome:esphome_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:espressif:esp32:-:::::::*
	cpe:2.3:h:espressif:esp8266:-:::::::*

No data.

References

Link	Providers
https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e
https://github.com/esphome/esphome/releases/tag/2021.9.2
https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-28T15:15:11

Updated: 2024-08-04T02:59:31.350Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41104

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-28T16:15:08.413

Modified: 2021-10-07T14:13:41.657

Link: CVE-2021-41104

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "esphome", "vendor": "esphome", "versions": [{"status": "affected", "version": "< 2021.9.2"}]}], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-28T15:15:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}], "source": {"advisory": "GHSA-48mj-p7x2-5jfm", "discovery": "UNKNOWN"}, "title": "web_server allows OTA update without checking user defined basic auth username & password", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41104", "STATE": "PUBLIC", "TITLE": "web_server allows OTA update without checking user defined basic auth username & password"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "esphome", "version": {"version_data": [{"version_value": "< 2021.9.2"}]}}]}, "vendor_name": "esphome"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm", "refsource": "CONFIRM", "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}, {"name": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e", "refsource": "MISC", "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"name": "https://github.com/esphome/esphome/releases/tag/2021.9.2", "refsource": "MISC", "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}]}, "source": {"advisory": "GHSA-48mj-p7x2-5jfm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.350Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41104", "datePublished": "2021-09-28T15:15:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.350Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:esphome:esphome_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "731C3CD3-0010-4AD8-9622-D7B79FB08EE5", "versionEndExcluding": "2021.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C", "vulnerable": false}, {"criteria": "cpe:2.3:h:espressif:esp8266:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A1C8D90-B27E-4E82-8A72-E1FF3FABA1A0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}, {"lang": "es", "value": "ESPHome es un sistema para controlar el ESP8266/ESP32. Cualquiera que tenga web_server habilitado y la autenticaci\u00f3n b\u00e1sica HTTP configurada en la versi\u00f3n 2021.9.1 o anterior, es vulnerable a un problema en el que \"web_server\" permite actualizaciones over-the-air (OTA) sin comprobar el nombre de usuario y la contrase\u00f1a de autenticaci\u00f3n b\u00e1sica definidos por el usuario. Este problema ha sido parcheado en la versi\u00f3n 2021.9.2. Como soluci\u00f3n, se puede deshabilitar o eliminar \"web_server\""}], "id": "CVE-2021-41104", "lastModified": "2021-10-07T14:13:41.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-09-28T16:15:08.413", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}