PT-2022-12031 · Unknown+1 · Motioneyeos+1

Pizza Power

Published

2022-01-31

Updated

2022-07-12

CVE-2021-44255

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MotionEye versions 0.42.1 and earlier MotionEyeOS versions 20200606 and earlier

Description The issue allows a remote attacker to upload a configuration backup file containing a malicious python pickle file, which will execute arbitrary code on the server. This can occur when an installation is accessible over the Internet and uses no or poor authentication credentials.

Recommendations For MotionEye versions 0.42.1 and earlier, consider keeping the installation off the Internet and use strong credentials to provide protection against this issue. For MotionEyeOS versions 20200606 and earlier, consider keeping the installation off the Internet and use strong credentials to provide protection against this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authentication

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-434

Related Identifiers

CVE-2021-44255

GHSA-M2C7-42RF-C62F

Affected Products

Motioneye

Motioneyeos

PT-2022-12031 · Unknown+1 · Motioneyeos+1

CVE-2021-44255

Weakness Enumeration

Related Identifiers

Affected Products

References · 7