CVE-2023-50715: 
Python vulnerability analysis and mitigation

Home Assistant, an open source home automation software, contained a vulnerability (CVE-2023-50715) prior to version 2023.12.3 where the login page disclosed all active user accounts to any unauthenticated browsing request originating on the Local Area Network. The vulnerability was discovered and disclosed on December 14, 2023, affecting all Home Assistant installations before version 2023.12.3 (GitHub Advisory).

The vulnerability occurred when the Home Assistant login page returned all currently active user accounts to browsing requests from the Local Area Network. This disclosure happened under two conditions: when the request was not authenticated and when the request originated locally (on the Home Assistant host local subnet or any private subnet including 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8, ::ffff:10.0.0.0/104, ::ffff:172.16.0.0/108, ::ffff:192.168.0.0/112). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability allowed any unauthenticated actor on the local network to view all user accounts, including their profile photos, regardless of whether they had logged in or not. While the disclosure was limited to requests originating from LAN addresses, it affected any private subnet that could reach the Home Assistant instance (GitHub Advisory).

The vulnerability was patched in Home Assistant version 2023.12.3. Users are advised to upgrade to this version or later to address the issue. The fix involved disabling the user profiles feature on the login screen (GitHub Patch).