Miggo Logo
Miggo Vulnerability Database
CVE-2018-21019

CVE-2018-21019:
Home Assistant information disclosure vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-21019
GHSA ID
GHSA-mh78-8f49-vjg3
EPSS Score
0.78985%
CWE
CWE-200
Published
5/24/2022
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
homeassistantpip< 0.67.00.67.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the insecure registration of the error log endpoint in api.py. The pre-patch code (vulnerable versions) used register_static_path with no authentication, while the fix introduced an authenticated view (APIErrorLog). The setup function's conditional block (if log_path:) directly enabled the insecure endpoint, making it the root cause. The commit diff and CWE-200 context confirm this was an authentication bypass issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*om* *ssist*nt ***or* *.**.* w*s vuln*r**l* to *n in*orm*tion *is*losur* t**t *llow** *n un*ut**nti**t** *tt**k*r to r*** t** *ppli**tion's *rror lo* vi* *ompon*nts/*pi.py.

Reasoning

T** vuln*r**ility st*mm** *rom t** ins**ur* r**istr*tion o* t** *rror lo* *n*point in *pi.py. T** pr*-p*t** *o** (vuln*r**l* v*rsions) us** r**ist*r_st*ti*_p*t* wit* no *ut**nti**tion, w*il* t** *ix intro*u*** *n *ut**nti**t** vi*w (*PI*rrorLo*). T**