Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path traversal in Node-Red
Vulnerability Description
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Node-RED 路径遍历漏洞
Vulnerability Description
Node-Red是开源的一种基于流的可视化编程开发工具,用于将硬件设备,API和在线服务作为物联网的一部分连接在一起。 Node-RED 1.2.7 and earlier 存在路径遍历漏洞,该漏洞允许通过项目API任意路径遍历。
CVSS Information
N/A
Vulnerability Type
N/A