logo

Database

Insecure file upload In motioneye

Description

Unrestricted Upload of File with Dangerous Type in motionEye motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials.

The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-442552. NVD-2021-442553. OSV-2021-442554. GCVE-2021-44255

References

1. https://github.com/ccrisan/motioneyeos/issues/28432. https://www.pizzapower.me/2021/10/09/self-hosted-security-part-1-motioneye3. https://github.com/pizza-power/motioneye-authenticated-RCE

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-RZCJR – Vulnerability | Fluid Attacks Database