CVE-2022-25568
HIGH7.5EPSS 85.3%MotionEye allows attackers to access sensitive information
Published: 3/25/2022Modified: 11/22/2024
Description
MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured.
Affected packages (2)
- PyPI/motioneyefrom 0, < 0.43.1b1
- PyPI/motioneyefrom 0, < 0.43.1b1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25568
- PATCHhttps://github.com/motioneye-project/motioneye
- WEBhttps://github.com/ccrisan/motioneye/issues/2292
- WEBhttps://github.com/motioneye-project/motioneye/commit/c60b64af5bb8c09189071522a1f6796cb44340b0
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/motioneye/PYSEC-2022-43141.yaml
- WEBhttps://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure
- WEBhttps://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/