SSL validation for outgoing requests in Home Assistant Core and used libs not correct

Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

通信信道源的不正确验证

Home Assistant 安全漏洞

Home Assistant是Home Assistant开源的一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant 2024.1.6之前版本存在安全漏洞，该漏洞源于未正确验证SSL证书。攻击者利用该漏洞可以拦截通信。

N/A

N/A