CVE-2023-41898

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:home-assistant:home_assistant_companion:*:*:*:*:*:android:*:*

History

26 Oct 2023, 16:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:home-assistant:home_assistant_companion::::::android::*
CWE		CWE-94
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
First Time		Home-assistant Home-assistant home Assistant Companion
References	~~(MISC) https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg -~~	(MISC) https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg - Vendor Advisory

19 Oct 2023, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-19 23:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-41898

Mitre link : CVE-2023-41898

CVE.ORG link : CVE-2023-41898

JSON object : View

Products Affected

home-assistant

home_assistant_companion

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2023-41898", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2023-10-19T23:15:08.703", "references": [{"url": "https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`."}, {"lang": "es", "value": "Home Assistant es una dom\u00f3tica de c\u00f3digo abierto. La aplicaci\u00f3n Home Assistant Companion para Android hasta la versi\u00f3n 2023.8.2 es vulnerable a la carga de URL arbitraria en un WebView. Esto permite todo tipo de ataques, incluida la ejecuci\u00f3n arbitraria de JavaScript, la ejecuci\u00f3n limitada de c\u00f3digo nativo y el robo de credenciales. Este problema se solucion\u00f3 en la versi\u00f3n 2023.9.2 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Este problema tambi\u00e9n se rastrea como Informe de vulnerabilidad del GitHub Security Lab (GHSL): `GHSL-2023-142`."}], "lastModified": "2023-10-26T16:08:05.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:home-assistant:home_assistant_companion:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "E629E5FD-6C86-4A32-9DA0-EBCF5F339716", "versionEndExcluding": "2023.9.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}