CVE-2021-44255

Description

motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials. The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.

How to fix CVE-2021-44255

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2021-44255 being exploited?

Moderate — EPSS is 13.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, <= 0.42.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-44255
• PATCHgithub.com/ccrisan/motioneye
• WEBgithub.com/ccrisan/motioneyeos/issues/2843
• WEBwww.pizzapower.me/2021/10/09/self-hosted-security-part-1-motioneye