CVE-2021-44255
published 2022-01-31CVE-2021-44255: Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.95%
85.4th percentile
Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motioneye_project | motioneye | < 0.42.1 | 0.42.1 |
| motioneye_project | motioneye | 0 – 0.42.1 | — |
| motioneyeos_project | motioneyeos | < 20200606 | 20200606 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unrestricted Upload of File with Dangerous Type in motionEye
ghsa·2022-02-01
CVE-2021-44255 [HIGH] CWE-434 Unrestricted Upload of File with Dangerous Type in motionEye
Unrestricted Upload of File with Dangerous Type in motionEye
motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials.
The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.
OSV
Unrestricted Upload of File with Dangerous Type in motionEye
osv·2022-02-01
CVE-2021-44255 [HIGH] Unrestricted Upload of File with Dangerous Type in motionEye
Unrestricted Upload of File with Dangerous Type in motionEye
motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials.
The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-01-31
Published