Chiwopsezo chachikulu (CVE-2023-27482) chadziwika pa pulatifomu yotseguka ya Home Assistant, yomwe imakupatsani mwayi kuti mulambalale kutsimikizika ndikupeza mwayi wopeza mwayi wa Supervisor API, momwe mungasinthire makonda, kukhazikitsa/kusintha mapulogalamu, samalira zowonjezera ndi zosunga zobwezeretsera.
Vutoli limakhudza makhazikitsidwe omwe amagwiritsa ntchito gawo la Supervisor ndipo adawonekera kuyambira pomwe adatulutsidwa koyamba (kuyambira 2017). Mwachitsanzo, chiwopsezochi chilipo m'malo Oyang'aniridwa ndi Home Assistant OS ndi Home Assistant, koma sizikhudza Chidebe Chothandizira Pakhomo (Docker) komanso malo opangidwa pamanja a Python potengera Kore Assistant Core.
Chiwopsezochi chimakhazikitsidwa mu mtundu wa Home Assistant Supervisor 2023.01.1. Ntchito yowonjezera ikuphatikizidwa mu kutulutsidwa kwa Home Assistant 2023.3.0. Pamakina omwe sikutheka kuyika zosinthazo kuti aletse chiwopsezocho, mutha kuletsa mwayi wofikira pa netiweki ya webusayiti ya Home Assistant kuchokera pamanetiweki akunja.
Njira yogwiritsira ntchito chiwopsezo sichinafotokozedwe mwatsatanetsatane (malinga ndi opanga, pafupifupi 1/3 ya ogwiritsa ntchito adayika zosinthazo ndipo machitidwe ambiri amakhalabe osatetezeka). Mu mtundu wowongolera, motengera kukhathamiritsa, zosintha zachitika pakukonza ma tokeni ndi mafunso ophatikizika, ndipo zosefera zawonjezedwa kuti ziletse kulowetsedwa kwa mafunso a SQL ndikuyika " Β» ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΠΏΡΡΠ΅ΠΉ Ρ Β«../Β» ΠΈ Β«/./Β».
Source: opennet.ru