[ASA-202101-44] home-assistant: information disclosure
Arch Linux Security Advisory ASA-202101-44 ========================================== Severity: Medium Date : 2021-01-29 CVE-ID : CVE-2021-3152 Package : home-assistant Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1488 Summary ======= The package home-assistant before version 2021.1.4-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2021.1.4-1. # pacman -Syu "home-assistant>=2021.1.4-1" The problem has been fixed upstream in version 2021.1.4. Workaround ========== The issue can be mitigated by disabling all custom integrations. This is achieved by renaming the custom_components folder inside the Home Assistant configuration folder to something else and restarting Home Assistant. Description =========== Home Assistant before 2021.1.3 allows attackers to obtain sensitive information because custom integrations with ../ are mishandled leading to directory-traversal. Impact ====== Some integrations could allow malicious users to read sensitive information. References ========== https://bugs.archlinux.org/task/69398 https://www.home-assistant.io/blog/2021/01/14/security-bulletin/ https://security.archlinux.org/CVE-2021-3152
participants (1)
-
Morten Linderud