CVE-2021-21298

Description

### Impact This vulnerability allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. ### Patches The issue has been patched in Node-RED 1.2.8 ### Workarounds The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Acknowledgements Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.

How to fix CVE-2021-21298

To remediate CVE-2021-21298, upgrade the affected package to a fixed version below.

• —upgrade to 1.2.8 or later

Is CVE-2021-21298 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.8

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21298
• WEBgithub.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
• WEBgithub.com/node-red/node-red/releases/tag/1.2.8
• WEBgithub.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f