CVE-2021-44255

HIGH

Motioneye < 0.42.1 - Missing Authentication

Title source: rule

Description

Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

Exploits (1)

nomisec WORKING POC 1 stars

by pizza-power · poc

https://github.com/pizza-power/motioneye-authenticated-RCE

View Code ZIP pw:eip

References (2)

[Issue Tracking, Third Party Advisory] https://github.com/ccrisan/motioneyeos/issues/2843

[Third Party Advisory] https://www.pizzapower.me/2021/10/09/self-hosted-security-part-1-motioneye/

Scores

CVSS v3 7.2

EPSS 0.1364

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (3)

motioneyeos_project/motioneyeos < 20200606

motioneye_project/motioneye < 0.42.1

pypi/motioneye 0PyPI

Published Jan 31, 2022

Tracked Since Feb 18, 2026