⬆️ Update esphome to v2024 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
esphome	==2023.12.9 -> ==2024.2.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-27081

Summary

Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible.

Details

It is possible to abuse this path traversal vulnerability both in command line installation and Home Assistant add-on, but it is possible to read and write files only under the configuration directory.

The vulnerability is present and exploitable in the command line installation, but it was not possible to confirm an impact in the home assistant add-on version.

PoC

Impact

The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.

If chained with GHSA-9p43-hj5j-96h5 and GHSA-5925-88xh-6h99, this issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.

It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

Credits

Spike Reply Cybersecurity Team

CVE-2024-27287

Summary

Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with “Content-Type: text/html; charset=UTF-8”, allowing remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting (XSS).

Credits

Spike Reply Cybersecurity Teams

Details

It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write.

To trigger the XSS vulnerability, the victim must visit the page /edit?configuration=[xss file].

PoC

To reproduce the issue, it is possible to perform a POST request to inject the payload:

request:
POST /edit?configuration=xss.yaml HTTP/1.1
Host: localhost:6052
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:6052/
Connection: close
Cookie: authenticated=[replace with valid cookie]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 40

<script>alert(document.cookie);</script>

---

response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Nov 2023 11:02:27 GMT
Content-Length: 0
Connection: close

And subsequently trigger the XSS with a GET request to the same endpoint:

request:
GET /edit?configuration=xss.yaml HTTP/1.1
Host: localhost:6052
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:6052/
Connection: close
Cookie: authenticated=2|1:0|10:1701341719|13:authenticated|4:eWVz|0907127d7274094cc5a2490b95becf5c11fd52b8c3ee3655d65fe9fda099108c
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 0

---

response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Nov 2023 11:04:12 GMT
Etag: "ec6c9889f5c9a6c8e9d2d5e4ce1b1a85e6e7da2b"
Content-Length: 40
Connection: close

<script>alert(document.cookie);</script>

Impact

Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.
In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values.

Credits

Spike Reply Cybersecurity Team

---

Release Notes

esphome/esphome (esphome)

v2024.2.2

Compare Source

• CSE7766: Fix energy calculation esphome#6286 by @​puuu
• handling with the negative temperature in the sensor tmp102 esphome#6316 by @​FlyingFeng2021
• fix tmp102 negative calculation esphome#6320 by @​ssieb
• auto load output for now esphome#6309 by @​ssieb
• Add wake word phrase to voice assistant start command esphome#6290 by @​jesserockz

v2024.2.1

Compare Source

• Add missing timeout to "async_request" esphome#6267 by @​jesserockz
• Bump zeroconf timeout to 3000 esphome#6270 by @​jesserockz
• web_server: Add a position property for cover entities that have the supports position trait esphome#6269 by @​DanielBaulig
• allow multiple emc2101 esphome#6272 by @​ssieb
• Fix RP2040 SPI pin validation esphome#6277 by @​kbx81
• dashboard: move storage json update to a background task in edit save esphome#6280 by @​bdraco
• make output optional for speed fan esphome#6274 by @​ssieb
• fix throttle average nan handling esphome#6275 by @​ssieb
• Fix thermostat supplemental actions esphome#6282 by @​kbx81

v2024.2.0

Compare Source

Full list of changes

New Components

• feat: add AS5600 component/sensor esphome#5174 by @​ammmze (new-integration)
• Support for ST7567 display 128x64 (I2C, SPI) esphome#5952 by @​latonita (new-integration)
• BME280 SPI esphome#5538 by @​apbodrov (new-integration) (breaking-change)
• Add support for VEML3235 lux sensor esphome#5959 by @​kbx81 (new-integration)
• Add support of Honeywell HumidIcon (I2C HIH series) Temperature & Humidity sensor esphome#5730 by @​Benichou34 (new-integration)
• Add combination sensor and remove absorbed kalman_combinator component esphome#5438 by @​kahrendt (new-integration) (breaking-change)
• Add micro_wake_word component esphome#6136 by @​kahrendt (new-integration)

Breaking Changes

• PMSx003 add relevant device and state classes to default config esphome#5633 by @​wheimbigner (breaking-change)
• BME280 SPI esphome#5538 by @​apbodrov (new-integration) (breaking-change)
• convert cse7766 to non-polling esphome#6095 by @​ssieb (breaking-change)
• Add combination sensor and remove absorbed kalman_combinator component esphome#5438 by @​kahrendt (new-integration) (breaking-change)

Beta Changes

• AUTO_LOAD sensor for shelly_dimmer esphome#6223 by @​kbx81
• Add more debugging logs to microWakeWord esphome#6238 by @​kahrendt
• Fix to RF receiver for Drayton Digistat heating controller esphome#6235 by @​marshn
• WRGB Use correct multiplier esphome#6237 by @​mhetzi
• Add optional minimum esphome version to microWakeWord manifest esphome#6240 by @​jesserockz
• Fix xl9535 pin reads esphome#6242 by @​jesserockz
• hold interrupt disable for dallas one-wire esphome#6244 by @​ssieb
• Fix tm1651 enum esphome#6248 by @​kbx81
• Clear UART read buffer before sending next command esphome#6200 by @​fototakas
• Voice Assistant: add on_idle trigger and fix nevermind esphome#6141 by @​synesthesiam
• Tuya Fan component fix to handle enum datapoint type esphome#6135 by @​sibowler

All changes

• Bump esptool from 4.6.2 to 4.7.0 esphome#5935 by @​dependabot[bot]
• Bump actions/download-artifact from 3.0.2 to 4.0.0 esphome#5936 by @​dependabot[bot]
• Bump build-image action versions esphome#5954 by @​jesserockz
• Revert "Bump build-image action versions" esphome#5955 by @​jesserockz
• Revert "Bump actions/download-artifact from 3.0.2 to 4.0.0" esphome#5956 by @​jesserockz
• Bump zeroconf from 0.130.0 to 0.131.0 esphome#5967 by @​dependabot[bot]
• Add ability to lock to set mode esphome#5924 by @​ysmilda
• feat: add AS5600 component/sensor esphome#5174 by @​ammmze (new-integration)
• Add default substitutions for package includes esphome#5752 by @​mknjc
• Add gradient option to addressable color wipe effect esphome#5689 by @​lifeisafractal
• Added alarm processing for Haier component (hOn protocol) esphome#5965 by @​paveldn
• Allow haier remote protocol to use lambdas esphome#5898 by @​catlee
• PMSx003 add relevant device and state classes to default config esphome#5633 by @​wheimbigner (breaking-change)
• Add waveshare 2.7in V2 model esphome#5903 by @​gumulka
• Add support for waveshare 2.9in B V3 version esphome#5902 by @​gumulka
• Fix pin reuse in test1 esphome#5978 by @​jesserockz
• Add Waveshare 1.47in 172x320 to ST7789v component esphome#5884 by @​mrtoy-me
• (fingerprint_grow) Added on_finger_scan_invalid automation. esphome#5885 by @​RubenNL
• Alarm panel: Add changes to support enhanced features esphome#5671 by @​hwstar
• support default pins for adafruit esp32 feather v2 esphome#5482 by @​sbrudenell
• Bug: Unwanted change resistance in x9c component esphome#5483 by @​fizista
• Improvements to RF receiver for Drayton Digistat heating controller esphome#5504 by @​marshn
• Reduce memory usage with StringRef in MQTT Components esphome#5719 by @​kahrendt
• Nextion allow underscore on names esphome#5979 by @​edwardtfn
• Add Keeloq RF protocol esphome#5511 by @​marshn
• Add a Binary Sensor Filter for state settling esphome#5900 by @​cottsay
• Lint the script folder files esphome#5991 by @​jesserockz
• web_server support for home assistant like styling esphome#5854 by @​afarago
• [Touchscreen] Add expire of touch record. esphome#5986 by @​Fabian-Schmidt
• Support for ST7567 display 128x64 (I2C, SPI) esphome#5952 by @​latonita (new-integration)
• Add constants used by multiple display drivers to global const.py esphome#6033 by @​clydebarrow
• Nextion queue size esphome#6029 by @​edwardtfn
• Ble client additions and fixes esphome#5277 by @​clydebarrow
• HaierProtocol library updated to 0.9.25 to fix the answer_timeout bug esphome#6015 by @​paveldn
• GT911 touchscreen: Fix bug causing touch button release to fail esphome#6042 by @​clydebarrow
• Display: Introduce draw_pixels_at() method for fast block display rendering esphome#6034 by @​clydebarrow
• clang-format and clang-tidy scripts: More robust algorithm to find correct executable esphome#6041 by @​clydebarrow
• Don't crash with invalid adc pin esphome#6059 by @​ssieb
• Add questionmark to default glyphs. esphome#6053 by @​RubenNL
• pylontech: fix voltage_low and voltage_high wrong unit esphome#6060 by @​functionpointer
• Bump flake8 from 6.1.0 to 7.0.0 esphome#6058 by @​dependabot[bot]
• Nextion enable upload from https when using esp-idf esphome#6051 by @​edwardtfn
• Extends UART change at runtime to ESP8266 esphome#6019 by @​edwardtfn
• Nextion draw QR code at runtime esphome#6027 by @​edwardtfn
• Extend i2s config options esphome#6056 by @​Hadatko
• Add getter for image data_start esphome#6036 by @​clydebarrow
• Bump hypothesis to 6.92.1 esphome#6011 by @​bdraco
• Bump recommended ESP32 IDF to 4.4.6 esphome#6048 by @​bdraco
• Bump pytest from 7.4.3 to 7.4.4 esphome#6046 by @​dependabot[bot]
• dashboard: refactor ping implementation to be more efficient esphome#6002 by @​bdraco
• Bump pytest-asyncio from 0.23.2 to 0.23.3 esphome#6047 by @​dependabot[bot]
• Bump black from 23.12.0 to 23.12.1 esphome#6018 by @​dependabot[bot]
• Run python tests on windows and macos esphome#6010 by @​bdraco
• BME280 SPI esphome#5538 by @​apbodrov (new-integration) (breaking-change)
• Actions to enable and disable WireGuard connection esphome#5690 by @​droscy
• hydreon_rgxx - fix missing cg.add(var.set_model(...)) esphome#6065 by @​mrtoy-me
• Bump pillow to 10.2.0. esphome#6091 by @​pfrenssen
• convert cse7766 to non-polling esphome#6095 by @​ssieb (breaking-change)
• Use touch state from ft63x6 driver. esphome#6055 by @​nielsnl68
• update script/setup so it works fine on windows esphome#6087 by @​nielsnl68
• add Pico-ResTouch-LCD-3.5 esphome#6078 by @​nielsnl68
• Revert "add Pico-ResTouch-LCD-3.5" esphome#6098 by @​nielsnl68
• Add triangle shapes to display component esphome#6096 by @​mathieu-mp
• Fingerprint_grow: Trigger on finger scan start and on finger scan misplaced esphome#6003 by @​alexborro
• Add continuous option to the graph esphome#6093 by @​ssieb
• Add NFC binary sensor platform esphome#6068 by @​kbx81
• Socket: Add recvfrom method to receive UDP with source address. esphome#6103 by @​clydebarrow
• Add support for VEML3235 lux sensor esphome#5959 by @​kbx81 (new-integration)
• CV: tidy up Schema wrapper esphome#6105 by @​jesserockz
• Add support X.509 client certificates for MQTT. esphome#5778 by @​h2zero
• Fix color observation for triangle outline in display component esphome#6107 by @​mathieu-mp
• Add support of Honeywell HumidIcon (I2C HIH series) Temperature & Humidity sensor esphome#5730 by @​Benichou34 (new-integration)
• Proposal: Test yaml for each component esphome#5398 by @​Fabian-Schmidt
• WiFi fast_connect: save/load BSSID and channel for faster connect from sleep esphome#5931 by @​rguca
• Fixes Waveshare 7.5in B V2 and V3 esphome#6079 by @​Pofilo
• Add combination sensor and remove absorbed kalman_combinator component esphome#5438 by @​kahrendt (new-integration) (breaking-change)
• Bump platformio from 6.1.11 to 6.1.13 esphome#6086 by @​dependabot[bot]
• Bump actions/cache from 3.3.2 to 4.0.0 esphome#6110 by @​dependabot[bot]
• Enable networking and some other components on host platform esphome#6114 by @​clydebarrow
• Fix time component for host platform esphome#6118 by @​clydebarrow
• Add quad spi features esphome#5925 by @​clydebarrow
• add AM2120 device type esphome#6115 by @​alexbuit
• Add support for Waveshare EPD 2.13" V3 esphome#5363 by @​clydebarrow
• OTA 2 which confirm each written chunk esphome#6066 by @​tomaszduda23
• Remove optional<> for pointer types esphome#6120 by @​kroimon
• Improve temperature precision in BME280 and BMP280 esphome#6124 by @​jxl77
• Nextion TFT upload IDF memory optimization esphome#6128 by @​edwardtfn
• Add support for Pico-ResTouch-LCD-3.5 to ili9xxx driver esphome#6129 by @​clydebarrow
• Ensure filename is shown when YAML raises an error esphome#6139 by @​bdraco
• ILI9XXX: Restore offset usage in set_addr_window esphome#6147 by @​clydebarrow
• Minimum 1 for full_update_every to prevent IntegerDivideByZero. esphome#6150 by @​RubenNL
• Support tri-color waveshare eink displays 2.7inch B and B V2 esphome#4238 by @​rnauber
• Synchronise Device Classes from Home Assistant esphome#6158 by @​esphomebot
• dfrobot_sen0395: Use setLatency instead of outputLatency esphome#5665 by @​jfroy
• Add some components to the new testing framework (A part 1) esphome#6142 by @​kbx81
• WRGB or RGBW? WS2814 esphome#6164 by @​mhetzi
• Add some components to the new testing framework (A part 2) esphome#6162 by @​kbx81
• Bump aioesphomeapi to 21.0.2 esphome#6188 by @​bdraco
• Add some components to the new testing framework (B) esphome#6173 by @​kbx81
• Add "transformer_active" flag for use in effects. esphome#6157 by @​TikiBill
• CSE7766: fix power and current measurements at low loads esphome#6180 by @​twasilczyk
• host platform: improvements and bugfixes esphome#6137 by @​clydebarrow
• WLED Sync fix and BK72XX support esphome#6190 by @​ChuckMash
• Add missing vector.h for lightwaverf esphome#6196 by @​kbx81
• Add some components to the new testing framework (C) esphome#6174 by @​kbx81
• update docstrings in cpp_generator.py esphome#6212 by @​nielsnl68
• Fixed group mask logic for WLED Sync fix esphome#6193 by @​ChuckMash
• Add micro_wake_word component esphome#6136 by @​kahrendt (new-integration)
• AUTO_LOAD sensor for shelly_dimmer esphome#6223 by @​kbx81
• Add more debugging logs to microWakeWord esphome#6238 by @​kahrendt
• Fix to RF receiver for Drayton Digistat heating controller esphome#6235 by @​marshn
• WRGB Use correct multiplier esphome#6237 by @​mhetzi
• Add optional minimum esphome version to microWakeWord manifest esphome#6240 by @​jesserockz
• Fix xl9535 pin reads esphome#6242 by @​jesserockz
• hold interrupt disable for dallas one-wire esphome#6244 by @​ssieb
• Fix tm1651 enum esphome#6248 by @​kbx81
• Clear UART read buffer before sending next command esphome#6200 by @​fototakas
• Voice Assistant: add on_idle trigger and fix nevermind esphome#6141 by @​synesthesiam
• Tuya Fan component fix to handle enum datapoint type esphome#6135 by @​sibowler

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.