CVE编号
CVE-2021-41104利用情况
暂无补丁情况
N/A披露时间
2021-09-29漏洞描述
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78c... | |
| https://github.com/esphome/esphome/releases/tag/2021.9.2 | |
| https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 系统 | esphome | esphome_firmware | * |
Up to (excluding) 2021.9.2 |
|||||
| 运行在以下环境 | |||||||||
| 硬件 | espressif | esp32 | - | - | |||||
| 运行在以下环境 | |||||||||
| 硬件 | espressif | esp8266 | - | - | |||||
- 攻击路径 网络
- 攻击复杂度 低
- 权限要求 无
- 影响范围 未更改
- 用户交互 无
- 可用性 无
- 保密性 无
- 完整性 高
还没有评论,来说两句吧...