CVE-2021-44255

HIGH7.2EPSS 13.6%

Unrestricted Upload of File with Dangerous Type in motionEye

發布日:2022/2/1修改日:2024/2/19

描述

motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials. The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.

受影響套件(1)

PyPI/motioneyefrom 0, <= 0.42.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-44255
PATCHhttps://github.com/ccrisan/motioneye
WEBhttps://github.com/ccrisan/motioneyeos/issues/2843
WEBhttps://www.pizzapower.me/2021/10/09/self-hosted-security-part-1-motioneye