CVE-2024-27081: 
Python vulnerability analysis and mitigation

ESPHome version 2023.12.9 (command line installation) contains a security misconfiguration in the edit configuration file API within its dashboard component. This vulnerability (CVE-2024-27081) was discovered and disclosed in February 2024, affecting the ESPHome system which is designed to control ESP8266/ESP32 devices. The vulnerability has been patched in version 2024.2.1 (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) that allows authenticated users to access files beyond intended restrictions. It received a CVSS v3.1 base score of 8.8 (HIGH) from NVD and 7.2 (HIGH) from GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the edit configuration file API in the dashboard component, enabling both read and write access to files under the configuration directory (NVD).

The vulnerability enables authenticated attackers to read and write arbitrary files within the configuration directory, potentially leading to remote code execution. Attackers can write arbitrary code in python scripts that are executed during the compilation and flashing of firmwares for ESP boards. Additionally, sensitive information such as WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password, and API encryption keys stored in esphome.json could be exposed (GitHub Advisory).

Users should upgrade to ESPHome version 2024.2.1 or later, which contains the patch for this vulnerability. The fix was implemented through a commit that addresses the path traversal issue in the dashboard's web server component (ESPHome Patch).