CVE-2021-44255 – motioneye

Package

Manager: pip
Name: motioneye
Vulnerable Version: >=0 <=0.42.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.14068 pctl0.94104

Details

Unrestricted Upload of File with Dangerous Type in motionEye motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials. The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.

Metadata

Created: 2022-02-01T00:00:44Z
Modified: 2022-02-14T19:58:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-m2c7-42rf-c62f/GHSA-m2c7-42rf-c62f.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-m2c7-42rf-c62f
Finding: F027
Auto approve: 1