CVE-2021-41185 - OpenCVE

Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mycodo Project	Mycodo

Configuration 1 [-]

cpe:2.3:a:mycodo_project:mycodo:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9
https://github.com/kizniche/Mycodo/issues/1105
https://github.com/kizniche/Mycodo/releases/tag/v8.12.7
https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-26T14:45:13

Updated: 2024-08-04T03:08:31.274Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41185

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-26T15:15:10.533

Modified: 2021-10-27T19:33:23.407

Link: CVE-2021-41185

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Mycodo", "vendor": "kizniche", "versions": [{"status": "affected", "version": "< 8.12.7"}]}], "descriptions": [{"lang": "en", "value": "Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-26T14:45:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kizniche/Mycodo/issues/1105"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kizniche/Mycodo/releases/tag/v8.12.7"}], "source": {"advisory": "GHSA-252r-94ph-m229", "discovery": "UNKNOWN"}, "title": "Download file outside intended directory", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41185", "STATE": "PUBLIC", "TITLE": "Download file outside intended directory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mycodo", "version": {"version_data": [{"version_value": "< 8.12.7"}]}}]}, "vendor_name": "kizniche"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229", "refsource": "CONFIRM", "url": "https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229"}, {"name": "https://github.com/kizniche/Mycodo/issues/1105", "refsource": "MISC", "url": "https://github.com/kizniche/Mycodo/issues/1105"}, {"name": "https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9", "refsource": "MISC", "url": "https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9"}, {"name": "https://github.com/kizniche/Mycodo/releases/tag/v8.12.7", "refsource": "MISC", "url": "https://github.com/kizniche/Mycodo/releases/tag/v8.12.7"}]}, "source": {"advisory": "GHSA-252r-94ph-m229", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.274Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kizniche/Mycodo/issues/1105"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kizniche/Mycodo/releases/tag/v8.12.7"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41185", "datePublished": "2021-10-26T14:45:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.274Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mycodo_project:mycodo:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8B4BD3A-4B47-41A4-84D2-B9E703773D53", "versionEndExcluding": "8.12.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit."}, {"lang": "es", "value": "Mycodo es un sistema de monitorizaci\u00f3n y regulaci\u00f3n ambiental. Una explotaci\u00f3n en versiones anteriores a 8.12.7, permite a cualquiera con acceso a los endpoints descargar archivos fuera del directorio previsto. Se ha aplicado un parche y se ha realizado un lanzamiento. Los usuarios deben actualizar a la versi\u00f3n 8.12.7. Como soluci\u00f3n, los usuarios pueden aplicar manualmente los cambios del commit de correcci\u00f3n"}], "id": "CVE-2021-41185", "lastModified": "2021-10-27T19:33:23.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-26T15:15:10.533", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/kizniche/Mycodo/issues/1105"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/kizniche/Mycodo/releases/tag/v8.12.7"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}