{"id":"PYSEC-2021-351","details":"ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.","aliases":["CVE-2021-41104","GHSA-48mj-p7x2-5jfm"],"modified":"2023-11-01T04:56:23.963246Z","published":"2021-09-28T16:15:00Z","references":[{"type":"FIX","url":"https://github.com/esphome/esphome/commit/2234f6aacf8cc653307fed80f3750317a82c4f83"},{"type":"WEB","url":"https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"},{"type":"WEB","url":"https://github.com/esphome/esphome/releases/tag/2021.9.2"},{"type":"ADVISORY","url":"https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}],"affected":[{"package":{"name":"esphome","ecosystem":"PyPI","purl":"pkg:pypi/esphome"},"ranges":[{"type":"GIT","repo":"https://github.com/esphome/esphome","events":[{"introduced":"0"},{"fixed":"2234f6aacf8cc653307fed80f3750317a82c4f83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2021.9.2"}]}],"versions":["1.10.1","1.11.0","1.11.0b1","1.11.0b2","1.11.0b3","1.11.1","1.11.2","1.12.0","1.12.0b1","1.12.0b2","1.12.0b3","1.12.0b4","1.12.1","1.12.2","1.13.0","1.13.0b1","1.13.0b2","1.13.0b3","1.13.0b4","1.13.0b5","1.13.0b6","1.13.0b7","1.13.1","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.14.0","1.14.0b1","1.14.0b2","1.14.0b3","1.14.0b4","1.14.0b5","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.15.0","1.15.0b1","1.15.0b2","1.15.0b3","1.15.0b4","1.15.1","1.15.2","1.15.3","1.16.0","1.16.0b1","1.16.0b2","1.16.0b3","1.16.0b4","1.16.0b5","1.16.0b6","1.16.0b7","1.16.0b8","1.16.1","1.16.2","1.17.0","1.17.0b1","1.17.1","1.17.2","1.18.0","1.18.0b1","1.18.0b2","1.18.0b3","1.18.0b4","1.19.0","1.19.0b1","1.19.0b2","1.19.0b3","1.19.0b4","1.19.0b5","1.19.0b6","1.19.0b7","1.19.1","1.19.2","1.19.3","1.19.4","1.20.0","1.20.0b1","1.20.0b2","1.20.0b3","1.20.0b4","1.20.0b5","1.20.0b6","1.20.1","1.20.2","1.20.3","1.20.4","1.21.0b1","1.21.0b2","1.21.0b3","2021.8.0","2021.8.1","2021.8.2","2021.9.0","2021.9.0b1","2021.9.0b2","2021.9.0b3","2021.9.0b4","2021.9.0b5","2021.9.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/esphome/PYSEC-2021-351.yaml"}}],"schema_version":"1.7.3"}