CVE-2021-41104

ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which web_server allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove web_server.

Published: Sep 28, 2021
Updated: May 9, 2024
CVE: CVE-2021-41104
GHSA: GHSA-48mj-p7x2-5jfm
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
esphome / esphome_firmware	-	2021.9.2
esphome	-	2021.9.2

https://github.com/esphome/esphome/commit/be965a60eba6bb769e2a5afdbc8eed132f077a59
https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e
https://github.com/esphome/esphome/releases/tag/2021.9.2
https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm

Vulnerability Database

CVE-2021-41104

Deep Security Visibility Without the Complexity