Skip to content

web_server allows OTA update without checking user defined basic auth username & password

High
jesserockz published GHSA-48mj-p7x2-5jfm Sep 28, 2021

Package

pip esphome (pip)

Affected versions

<= 2021.9.1

Patched versions

2021.9.2

Description

Impact

Anyone with web_server enabled and HTTP basic auth configured on 2021.9.1 or older

web_server allows OTA update without checking user defined basic auth username & password

Patches

Patch released in 2021.9.2
Original commit be965a6

Workarounds

Disable/remove web_server

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-41104

Weaknesses

No CWEs

Credits