脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
脆弱性説明
motionEye (mEye) is an online interface for a piece of software called "motion," which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue.
CVSS情報
N/A
脆弱性タイプ
对路径名的限制不恰当(路径遍历)
脆弱性タイトル
motionEye 路径遍历漏洞
脆弱性説明
motionEye是motionEye团队开源的一个守护进程的web前端。 motionEye 0.44.0之前版本存在路径遍历漏洞,该漏洞源于多个媒体文件处理程序中的绝对路径遍历问题,攻击者可通过用户控制的文件名参数构造文件系统路径,从而读取任意文件。
CVSS情報
N/A
脆弱性タイプ
N/A