ArchLinux: 202101-44: home-assistant: information disclosure
Summary
Home Assistant before 2021.1.3 allows attackers to obtain sensitive information because custom integrations with ../ are mishandled leading to directory-traversal.
Resolution
Upgrade to 2021.1.4-1.
# pacman -Syu "home-assistant>=2021.1.4-1"
The problem has been fixed upstream in version 2021.1.4.
References
https://bugs.archlinux.org/task/69398 https://www.home-assistant.io/blog/2021/01/14/security-bulletin/ https://security.archlinux.org/CVE-2021-3152
Workaround
The issue can be mitigated by disabling all custom integrations. Thisis achieved by renaming the custom_components folder inside the HomeAssistant configuration folder to something else and restarting HomeAssistant.