CVE-2024-27081
published 2024-02-26CVE-2024-27081: ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.54%
71.7th percentile
ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible. This vulnerability is patched in 2024.2.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esphome | esphome | — | — |
| esphome | esphome | — | — |
| esphome | esphome | >= 2023.12.9 < 2024.2.1 | 2024.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ESPHome vulnerable to remote code execution via arbitrary file write
osv·2024-03-01
CVE-2024-27081 [HIGH] ESPHome vulnerable to remote code execution via arbitrary file write
ESPHome vulnerable to remote code execution via arbitrary file write
### Summary
Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible.
### Details
It is possible to abuse this path traversal vulnerability both in command line installation and Home Assistant add-on, but it is possible to read and write files only under the configuration directory.
The vulnerability is present and exploitable in the command line installation, but it was not possible to confirm an impact in the home assistant add-on version.
### PoC
### Impact
The issue gives read and write ac
GHSA
ESPHome vulnerable to remote code execution via arbitrary file write
ghsa·2024-03-01
CVE-2024-27081 [HIGH] CWE-22 ESPHome vulnerable to remote code execution via arbitrary file write
ESPHome vulnerable to remote code execution via arbitrary file write
### Summary
Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible.
### Details
It is possible to abuse this path traversal vulnerability both in command line installation and Home Assistant add-on, but it is possible to read and write files only under the configuration directory.
The vulnerability is present and exploitable in the command line installation, but it was not possible to confirm an impact in the home assistant add-on version.
### PoC
### Impact
The issue gives read and write ac
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/esphome/esphome/commit/d814ed1d4adc71fde47c4df41215bee449884513https://github.com/esphome/esphome/security/advisories/GHSA-8p25-3q46-8q2phttps://github.com/esphome/esphome/commit/d814ed1d4adc71fde47c4df41215bee449884513https://github.com/esphome/esphome/security/advisories/GHSA-8p25-3q46-8q2p
2024-02-26
Published