fkie_cve-2025-25305
Vulnerability from fkie_nvd
Published
2025-02-18 19:15
Modified
2025-02-18 19:15
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Home Assistant Core es una automatizaci\u00f3n de origen de c\u00f3digo abierto que pone primero el control local y la privacidad. Las versiones afectadas est\u00e1n sujetas a los posibles ataques de hombre en el medio debido a la verificaci\u00f3n de certificado SSL faltante en la base de c\u00f3digo del proyecto y usaron de terceros librer\u00edas. En el pasado, `aiohttp-session`/` request \u0027ten\u00eda el par\u00e1metro `verify_ssl` para controlar la verificaci\u00f3n del certificado SSL. Este era un valor booleano. En `aiohttp` 3.0, este par\u00e1metro estaba desapercibido a favor del par\u00e1metro` SSL`. Solo cuando `SSL` se establece en` None` o se proporciona con un contexto SSL configurado correcto, la verificaci\u00f3n de certificado SSL est\u00e1ndar ocurrir\u00e1. Al migrar las integraciones en el Asistente de inicio librer\u00edas Aries utilizados por el Asistente de inicio, en algunos casos el valor del par\u00e1metro `Verify_SSL` se movi\u00f3 al nuevo par\u00e1metro` SSL`. Esto dio como resultado estas integraciones y librer\u00edas usando `request.ssl ??= true`, que desactiv\u00f3 involuntariamente la verificaci\u00f3n del certificado SSL y abri\u00f3 un vector de ataque de hombre en el medio. Este problema se ha abordado en la versi\u00f3n 2024.1.6 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-25305",
  "lastModified": "2025-02-18T19:15:29.083",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-18T19:15:29.083",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-940"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.