Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

CVE-2021-21298 : Security Advisory and Response

Node-RED 1.2.7 and earlier versions are affected by CVE-2021-21298, posing a risk of unauthorized file access via the Projects API. Learn how to prevent this security threat.

Node-RED 1.2.7 and earlier versions are affected by a path traversal vulnerability via the Projects API, allowing users with specific permissions to access any file. This CVE has been patched in Node-RED 1.2.8.

Understanding CVE-2021-21298

Node-RED, a low-code programming tool for event-driven applications using nodejs, is vulnerable to path traversal attacks.

What is CVE-2021-21298?

Node-RED versions prior to 1.2.8 contain a vulnerability that enables arbitrary file access through the Projects API, affecting users with 'projects.read' permission.

The Impact of CVE-2021-21298

The vulnerability allows unauthorized users to access files via the Projects feature. The base severity is rated as LOW with a CVSS base score of 3.5.

Technical Details of CVE-2021-21298

The vulnerability is categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Vulnerability Description

Node-RED 1.2.7 and earlier versions are prone to arbitrary path traversal, allowing unauthorized access to sensitive files.

Affected Systems and Versions

Only Node-RED versions below 1.2.8 are impacted by this vulnerability, specifically affecting users with 'projects.read' permission.

Exploitation Mechanism

The vulnerability arises due to improper file path restrictions within the Projects API functionality.

Mitigation and Prevention

To mitigate the CVE-2021-21298 vulnerability, immediate actions are recommended along with long-term security practices.

Immediate Steps to Take

Ensure that Node-RED is updated to version 1.2.8 to address the security issue. Avoid granting 'projects.read' permission to untrusted users.

Long-Term Security Practices

Implement the principle of least privilege, restrict access to sensitive files, and regularly update Node-RED to the latest versions.

Patching and Updates

Refer to official sources like npmjs and GitHub for patch updates and security advisories.

Popular CVEs

CVE Id

Published Date

Is your System Free of Underlying Vulnerabilities?
Find Out Now