Skip to content

Commit 2201d8a

Browse files
Advisory Database Sync
1 parent 711d8fe commit 2201d8a

65 files changed

Lines changed: 2104 additions & 14 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rw9q-97r9-8gvh",
4+
"modified": "2026-06-23T18:32:46Z",
5+
"published": "2026-06-23T18:32:46Z",
6+
"aliases": [
7+
"CVE-2026-55488"
8+
],
9+
"summary": "motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read",
10+
"details": "### Summary\n\nmEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.\n\nThe affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks.\n\nAs a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process.\n\n### Details\n\nThe issue exists in the media playback and download functionality.\n\nThe filename parameter is passed to `mediafiles.get_media_path()`:\n\n```python\ndef get_media_path(camera_config, path, media_type):\n target_dir = camera_config.get('target_dir')\n full_path = os.path.join(target_dir, path)\n return full_path\n```\n\nWhen path is an absolute path (e.g. `/etc/motioneye/motion.conf`), Python's `os.path.join()` discards `target_dir` entirely and returns the absolute path as-is. This would normally be caught by Tornado's StaticFileHandler path validation, but MoviePlaybackHandler explicitly overrides both safety checks (`movie_playback.py` lines 111-115):\n\n```\ndef get_absolute_path(self, root, path):\n return path\n\ndef validate_absolute_path(self, root, absolute_path):\n return absolute_path\n```\nThis allows reading any file on the filesystem that the motionEye process can access.\n\nThe same path traversal exists in the movie download, picture download, and picture preview handlers:\n\n- GET /movie/<camera_id>/download/<filename>\n- GET /picture/<camera_id>/download/<filename>\n- GET /picture/<camera_id>/preview/<filename>\n\n# PoC\n\n```\nGET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1\nHost: target:8765\n```\n\n# Fix\n\nDo not allow absolute paths supplied by user input.\n\nValidate that the fully resolved canonical path remains within the configured camera media directory before serving a file.\n\nAdditionally, Tornado’s built-in path validation should not be bypassed unless equivalent validation is performed by motionEye.",
11+
"severity": [],
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "PyPI",
16+
"name": "motioneye"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "0.44.0"
27+
}
28+
]
29+
}
30+
]
31+
}
32+
],
33+
"references": [
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rw9q-97r9-8gvh"
37+
},
38+
{
39+
"type": "PACKAGE",
40+
"url": "https://github.com/motioneye-project/motioneye"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-22"
46+
],
47+
"severity": "HIGH",
48+
"github_reviewed": true,
49+
"github_reviewed_at": "2026-06-23T18:32:46Z",
50+
"nvd_published_at": null
51+
}
52+
}

advisories/unreviewed/2022/05/GHSA-585f-rvf9-f227/GHSA-585f-rvf9-f227.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-585f-rvf9-f227",
4-
"modified": "2022-05-14T02:15:16Z",
4+
"modified": "2026-06-23T18:31:29Z",
55
"published": "2022-05-14T02:15:16Z",
66
"aliases": [
77
"CVE-2011-0627"
88
],
99
"details": "Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content, as possibly exploited in the wild in May 2011 by a Microsoft Office document with an embedded .swf file.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

advisories/unreviewed/2022/08/GHSA-8pp6-vxq4-65qv/GHSA-8pp6-vxq4-65qv.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@
2626
],
2727
"database_specific": {
2828
"cwe_ids": [
29-
"CWE-79"
29+
"CWE-79",
30+
"CWE-80"
3031
],
3132
"severity": "MODERATE",
3233
"github_reviewed": false,

advisories/unreviewed/2022/08/GHSA-q5m8-g27f-797h/GHSA-q5m8-g27f-797h.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
],
2727
"database_specific": {
2828
"cwe_ids": [
29+
"CWE-284",
2930
"CWE-732"
3031
],
3132
"severity": "MODERATE",

advisories/unreviewed/2023/05/GHSA-m4x7-w6vx-j9fm/GHSA-m4x7-w6vx-j9fm.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-m4x7-w6vx-j9fm",
4-
"modified": "2023-05-09T18:30:38Z",
4+
"modified": "2026-06-23T18:31:30Z",
55
"published": "2023-05-09T18:30:38Z",
66
"aliases": [
77
"CVE-2023-2609"

advisories/unreviewed/2023/09/GHSA-2rh9-r44r-2xv6/GHSA-2rh9-r44r-2xv6.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2rh9-r44r-2xv6",
4-
"modified": "2023-09-04T15:30:38Z",
4+
"modified": "2026-06-23T18:31:30Z",
55
"published": "2023-09-04T15:30:38Z",
66
"aliases": [
77
"CVE-2023-4733"

advisories/unreviewed/2023/09/GHSA-ph6h-mvrc-7rq5/GHSA-ph6h-mvrc-7rq5.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-ph6h-mvrc-7rq5",
4-
"modified": "2023-09-04T15:30:38Z",
4+
"modified": "2026-06-23T18:31:30Z",
55
"published": "2023-09-04T15:30:38Z",
66
"aliases": [
77
"CVE-2023-4750"

advisories/unreviewed/2023/09/GHSA-qjp4-g2mq-4r5w/GHSA-qjp4-g2mq-4r5w.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-qjp4-g2mq-4r5w",
4-
"modified": "2023-11-27T15:30:54Z",
4+
"modified": "2026-06-23T18:31:30Z",
55
"published": "2023-09-14T21:30:26Z",
66
"aliases": [
77
"CVE-2023-32611"

advisories/unreviewed/2026/03/GHSA-55gq-23mv-cw8r/GHSA-55gq-23mv-cw8r.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-55gq-23mv-cw8r",
4-
"modified": "2026-03-12T18:30:30Z",
4+
"modified": "2026-06-23T18:31:31Z",
55
"published": "2026-03-11T18:30:32Z",
66
"aliases": [
77
"CVE-2025-67038"
@@ -19,6 +19,10 @@
1919
"type": "ADVISORY",
2020
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67038"
2121
},
22+
{
23+
"type": "WEB",
24+
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-67038"
25+
},
2226
{
2327
"type": "WEB",
2428
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02"

advisories/unreviewed/2026/04/GHSA-7fjh-cgxv-cjc6/GHSA-7fjh-cgxv-cjc6.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7fjh-cgxv-cjc6",
4-
"modified": "2026-06-09T18:30:34Z",
4+
"modified": "2026-06-23T18:31:31Z",
55
"published": "2026-04-08T18:34:08Z",
66
"aliases": [
77
"CVE-2026-32589"
@@ -47,6 +47,10 @@
4747
"type": "WEB",
4848
"url": "https://access.redhat.com/errata/RHSA-2026:24853"
4949
},
50+
{
51+
"type": "WEB",
52+
"url": "https://access.redhat.com/errata/RHSA-2026:28441"
53+
},
5054
{
5155
"type": "WEB",
5256
"url": "https://access.redhat.com/security/cve/CVE-2026-32589"

0 commit comments

Comments
 (0)