CVE-2021-21298 - OpenCVE

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nodered	Node-red

Configuration 1 [-]

cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
https://github.com/node-red/node-red/releases/tag/1.2.8
https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f
https://www.npmjs.com/package/%40node-red/runtime

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-02-26T16:25:14

Updated: 2024-08-03T18:09:15.856Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21298

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-26T17:15:12.337

Modified: 2023-11-07T03:29:46.107

Link: CVE-2021-21298

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "node-red", "vendor": "node-red", "versions": [{"status": "affected", "version": "< 1.2.8"}]}], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-26T16:25:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40node-red/runtime"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"}], "source": {"advisory": "GHSA-m33v-338h-4v9f", "discovery": "UNKNOWN"}, "title": "Path traversal in Node-Red", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21298", "STATE": "PUBLIC", "TITLE": "Path traversal in Node-Red"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "node-red", "version": {"version_data": [{"version_value": "< 1.2.8"}]}}]}, "vendor_name": "node-red"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/@node-red/runtime", "refsource": "MISC", "url": "https://www.npmjs.com/package/@node-red/runtime"}, {"name": "https://github.com/node-red/node-red/releases/tag/1.2.8", "refsource": "MISC", "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}, {"name": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f", "refsource": "CONFIRM", "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"}, {"name": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456", "refsource": "MISC", "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"}]}, "source": {"advisory": "GHSA-m33v-338h-4v9f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.856Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40node-red/runtime"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21298", "datePublished": "2021-02-26T16:25:14", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.856Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FD380E45-4954-4427-90D5-66896B983B30", "versionEndExcluding": "1.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."}, {"lang": "es", "value": "Node-Red es una programaci\u00f3n de low-code para aplicaciones basadas en eventos dise\u00f1adas usando nodejs. Node-RED versiones 1.2.7 y anteriores, presentan una vulnerabilidad que permite un salto de ruta arbitrario por medio de la API Projects. Si la funcionalidad Proyects est\u00e1 habilitada, un usuario con el permiso \"projects.read\" puede acceder a cualquier archivo por medio de la API Proyects. El problema ha sido parcheado en Node-RED versi\u00f3n 1.2.8. La vulnerabilidad se aplica solo a la funcionalidad Proyects que no est\u00e1 habilitada por defecto en Node-RED. La soluci\u00f3n alternativa principal es no dar acceso de lectura al editor de Node-RED para usuarios que no son confiables"}], "id": "CVE-2021-21298", "lastModified": "2023-11-07T03:29:46.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-26T17:15:12.337", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40node-red/runtime"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}