CVE-2023-41893

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2023.9.0

Description The issue concerns the alterability of the redirect uri and client id when logging in to Home Assistant, an open-source home automation system. This allows an attacker to manipulate a user and retrieve account access by sending a link with a controlled redirect uri to the victim's Home Assistant instance. If the victim authenticates via this link, the attacker can obtain the code sent to the specified URL in redirect uri and leverage it to fetch an access token. The attack strategy is plausible if the victim has exposed their Home Assistant to the Internet. An attacker could increase the efficacy of this strategy by registering a nearly identical domain to homeassistant.local, which may appear legitimate and obfuscate malicious intentions.

Recommendations To resolve the issue, upgrade to version 2023.9.0 or later. As a temporary workaround, consider restricting access to the redirect uri parameter to minimize the risk of exploitation. Avoid using the redirect uri parameter in the affected login endpoint until the issue is resolved. Restrict access to the Home Assistant instance from the Internet to minimize the risk of exploitation.