CVE-2021-21298

描述

### Impact This vulnerability allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. ### Patches The issue has been patched in Node-RED 1.2.8 ### Workarounds The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Acknowledgements Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.

如何修補 CVE-2021-21298

要修補 CVE-2021-21298,請將受影響套件升級到下列已修補版本。

• —升級至 1.2.8 或更新版本

CVE-2021-21298 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 1.2.8

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21298
• WEBgithub.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
• WEBgithub.com/node-red/node-red/releases/tag/1.2.8
• WEBgithub.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f