Node-RED 1.2.7 and earlier versions are affected by CVE-2021-21298, posing a risk of unauthorized file access via the Projects API. Learn how to prevent this security threat.
Node-RED 1.2.7 and earlier versions are affected by a path traversal vulnerability via the Projects API, allowing users with specific permissions to access any file. This CVE has been patched in Node-RED 1.2.8.
Understanding CVE-2021-21298
Node-RED, a low-code programming tool for event-driven applications using nodejs, is vulnerable to path traversal attacks.
What is CVE-2021-21298?
Node-RED versions prior to 1.2.8 contain a vulnerability that enables arbitrary file access through the Projects API, affecting users with 'projects.read' permission.
The Impact of CVE-2021-21298
The vulnerability allows unauthorized users to access files via the Projects feature. The base severity is rated as LOW with a CVSS base score of 3.5.
Technical Details of CVE-2021-21298
The vulnerability is categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
Vulnerability Description
Node-RED 1.2.7 and earlier versions are prone to arbitrary path traversal, allowing unauthorized access to sensitive files.
Affected Systems and Versions
Only Node-RED versions below 1.2.8 are impacted by this vulnerability, specifically affecting users with 'projects.read' permission.
Exploitation Mechanism
The vulnerability arises due to improper file path restrictions within the Projects API functionality.
Mitigation and Prevention
To mitigate the CVE-2021-21298 vulnerability, immediate actions are recommended along with long-term security practices.
Immediate Steps to Take
Ensure that Node-RED is updated to version 1.2.8 to address the security issue. Avoid granting 'projects.read' permission to untrusted users.
Long-Term Security Practices
Implement the principle of least privilege, restrict access to sensitive files, and regularly update Node-RED to the latest versions.
Patching and Updates
Refer to official sources like npmjs and GitHub for patch updates and security advisories.