A critical vulnerability (CVE-2023-27482) has been identified in the Home Assistant open home automation platform, which allows bypassing authentication and gaining full access to the privileged Supervisor API, through which you can change settings, install / update software, manage add-ons and backups.
The issue affects installations that use the Supervisor component and has been present since its first releases (since 2017). For example, the vulnerability exists in the Home Assistant OS and Home Assistant Supervised environments, but does not affect Home Assistant Container (Docker) and manually created Python environments based on Home Assistant Core.
The vulnerability has been fixed in Home Assistant Supervisor version 2023.01.1. An additional security bypass option is included in the Home Assistant 2023.3.0 release. On systems that fail to install the update to block the vulnerability, you can restrict access to the network port of the Home Assistant web service from external networks.
The method of exploitation of the vulnerability has not yet been detailed (according to the developers, about 1/3 of users have installed the update and many systems remain vulnerable). In the corrected version, under the guise of optimization, changes were made to the processing of tokens and proxied requests, and filters were added to block the substitution of SQL queries, inserting the tag " » и использования путей с «../» и «/./».
Source: opennet.ru