CVE-2023-50715

Advisory

Home Assistant before version 2023.12.3 has a vulnerability where the login page would disclose all active user accounts to unauthenticated LAN requests. This aimed to simplify login by displaying user profiles, similar to other applications. However, it exposed accounts to any LAN-connected device. Version 2023.12.3 patches this issue, limiting account visibility to enhance security. This vulnerability was specific to requests from the local or any reachable private subnet.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50715
• https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83
• https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76