CVE-2023-27482: 
NixOS vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2023-27482) was discovered in Home Assistant affecting versions before 2023.3.2 and Home Assistant Supervisor versions before 2023.03.3. The vulnerability allowed unauthenticated remote attackers to bypass authentication and directly access the Supervisor API through Home Assistant. This vulnerability impacted Home Assistant OS and Home Assistant Supervised installations, while Home Assistant Container and Home Assistant Core installations were not affected (GitHub Advisory, Home Assistant Blog).

The vulnerability existed in the Home Assistant Supervisor Integration that allowed an unauthenticated user to access any Supervisor API endpoint. The issue stemmed from the way path traversal was handled in URL processing, where payloads like 'app/.%252e/supervisor/info' could bypass security filters. The integration was installed by default on Home Assistant OS and Home Assistant Supervised installations, and according to analytics, was used by 74.9% of active installations at the time of discovery (Elttam Advisory).

The vulnerability allowed attackers to achieve remote code execution as root on the host system, create and download full backups containing authentication keys, access secrets.yaml files containing passwords and API keys for third-party services, and access the Home Assistant Database containing events data. This could lead to complete takeover of a home automation system and give attackers the ability to control cameras, listen to private conversations, and gain access to sensitive credentials stored in plaintext (Elttam Blog).

The issue was patched in Home Assistant Core version 2023.3.2 and Supervisor version 2023.03.3. The fix was automatically rolled out to affected installations via the Supervisor auto-update feature. For users unable to upgrade, the recommended workaround was to not expose the Home Assistant instance to the internet (GitHub Advisory, Home Assistant Blog).

The vulnerability received significant attention in the security community, with discussions on platforms like Hacker News, Reddit, and the Home Assistant forums. The disclosure process faced some criticism regarding the clarity of security advisory details and the timing of patch releases (Elttam Blog).