Lucene search

GitHub_MCVELIST:CVE-2021-41185

HistoryOct 26, 2021 - 2:45 p.m.

CVE-2021-41185 Download file outside intended directory

2021-10-2614:45:13

CWE-22

GitHub_M

www.cve.org

mycodo

environmental monitoring

regulation system

exploit

download files

intended directory

patch

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

39.6%

JSON

Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit.

CNA Affected

[
  {
    "product": "Mycodo",
    "vendor": "kizniche",
    "versions": [
      {
        "status": "affected",
        "version": "< 8.12.7"
      }
    ]
  }
]

References

github.com/kizniche/Mycodo/commit/23ac5dd422029c2b6ae1701a3599b6d41b66a6a9

github.com/kizniche/Mycodo/issues/1105

github.com/kizniche/Mycodo/releases/tag/v8.12.7

github.com/kizniche/Mycodo/security/advisories/GHSA-252r-94ph-m229

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

39.6%

JSON

Related for CVELIST:CVE-2021-41185