hass-cli: Handling of user-supplied Jinja2 templates

The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. This vulnerability is fixed in 1.0.0.

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

对生成代码的控制不恰当(代码注入)

Home Assistant 代码注入漏洞

Home Assistant是Home Assistant开源的一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant 1.0.0及之前版本存在代码注入漏洞，该漏洞源于使用无限制环境处理Jinja2模板，可能导致用户访问Python内部并超出模板使用范围。

N/A

N/A