CVE-2021-21298

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.

Published: Feb 26, 2021
Updated: May 9, 2024
CVE: CVE-2021-21298
GHSA: GHSA-m33v-338h-4v9f
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
nodered / node-red	-	1.2.8
@node-red / runtime	-	1.2.8

https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
https://github.com/node-red/node-red/releases/tag/1.2.8
https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f
https://www.npmjs.com/package/@node-red/runtime
https://www.npmjs.com/package/%40node-red/runtime

Vulnerability Database

CVE-2021-21298

Deep Security Visibility Without the Complexity