SCA: security update for esphome (GHSA-5925-88xh-6h99)

high Tenable Cloud Security Plugin ID 410705

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in
dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site
Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the
dashboard to perform operations on configuration files (create, edit, delete). It is possible for a
malicious actor to create a specifically crafted web page that triggers a cross site request against
ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows
bypassing authentication on API calls accessing configuration file operations on the behalf of a logged
user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this,
it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete
takeover of the user account. Version 2024.3.0 contains a patch for this issue. (CVE-2024-29019)

See Also

https://github.com/advisories/GHSA-5925-88xh-6h99

Plugin Details

Severity: High

ID: 410705

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.2

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-29019

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/21/2024

Vulnerability Publication Date: 3/21/2024

Reference Information

CVE: CVE-2024-29019

cwe: CWE-352