CVE-2023-41894: 
Homebrew vulnerability analysis and mitigation

Home Assistant, an open source home automation software, was found to have a vulnerability (CVE-2023-41894) where webhooks in the webhook component could be triggered via the *.ui.nabu.casa URL without authentication, even when marked as 'Only accessible from the local network'. This vulnerability was discovered during a Cure53 security audit and was addressed in version 2023.9.0, released on September 6, 2023 (Home Assistant Blog, GitHub Advisory).

The vulnerability was facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. The CVSS v3.1 base score for this vulnerability is 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could allow unauthorized access to webhooks that were intended to be accessible only from the local network, potentially leading to information disclosure. The confidentiality impact is rated as Low, while there are no direct impacts on integrity or availability of the system (NVD).

The vulnerability has been fixed in Home Assistant version 2023.9.0. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).

The vulnerability was discovered as part of a broader security audit conducted by Cure53, a well-known cybersecurity firm. According to their report, while this issue was identified, they noted that the overall quality of the Home Assistant codebase was impressive and exhibited resilient design paradigms (Home Assistant Blog).