CVE-2023-41899

Name of the Vulnerable Software and Affected Versions Home assistant versions prior to 2023.9.0

Description The issue concerns a partial Server-Side Request Forgery vulnerability in the hassio.addon stdin service, where an attacker capable of calling this service may be able to invoke any Supervisor REST API endpoints with a POST request. This could allow the attacker to control the data dictionary, including its addon and input key/values.

Recommendations For versions prior to 2023.9.0, upgrade to version 2023.9.0 or later to address the issue. As a temporary workaround, consider restricting access to the hassio.addon stdin service until the upgrade is possible. Additionally, be cautious when using Supervisor REST API endpoints to minimize the risk of exploitation.