PT-2021-23091 · Esphome · Esphome
Published
2021-09-28
·
Updated
2021-10-07
·
CVE-2021-41104
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ESPHome versions 2021.9.1 and earlier
Description
The issue affects ESPHome, a system to control the ESP8266/ESP32, where the
web server allows over-the-air (OTA) updates without checking user-defined basic auth username and password when HTTP basic auth is configured. This issue is patched in version 2021.9.2.Recommendations
For ESPHome versions 2021.9.1 and earlier, update to version 2021.9.2 to resolve the issue.
As a temporary workaround, consider disabling or removing the
web server to minimize the risk of exploitation.Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Esphome