Renenulschde

Name of the Vulnerable Software and Affected Versions: Home Assistant Core versions prior to 2024.1.6 Description: The issue concerns a potential man-in-the-middle attack due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify ssl` to control SSL certificate verification, which was a boolean value. However, in `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. When `ssl` is set to `None` or provided with a correct configured SSL context, the standard SSL certificate verification will happen. During migration, some integrations and 3rd party libraries used `request.ssl = True`, unintentionally turning off SSL certificate verification. This opened up a man-in-the-middle attack vector. Recommendations: For versions prior to 2024.1.6, upgrade to version 2024.1.6 to address the issue. As a temporary workaround, consider disabling the use of `ssl=True` in affected integrations and libraries until the issue is resolved. Restrict access to affected API endpoints, such as those using `aiohttp-session`/`request`, to minimize the risk of exploitation. Avoid using the `ssl` parameter with a value of `True` in affected API endpoints until the issue is resolved.