ID
VAR-201809-1335
TITLE
Node-RED Unauthorized Remote Command Execution Vulnerability
Trust: 0.6
DESCRIPTION
Node-RED is a tool for building Internet of Things (IOT) applications. Its focus is to simplify the "connection" of code blocks to perform tasks. Node-RED has an unauthorized remote command execution vulnerability. Because the Node-RED application does not enforce any type of authentication, it can be accessed without authorization, and an attacker can execute arbitrary commands on the target system by combining specific Flows. In addition, unauthorized use of other Nodes can also implement SSRF, local file inclusion, and information leakage attacks.
Trust: 0.6
IOT TAXONOMY
| category: | ['IoT'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | node red | model: | node-red | scope: | - | version: | - | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||
|
|
EXTERNAL IDS
| db: | CNVD | id: | CNVD-2018-19316 | Trust: 0.6 |
REFERENCES
| url: | https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ | Trust: 0.6 |
| url: | https://gist.githubusercontent.com/qkaiser/79459c3cb5ea6e658701c7d203a8c297/raw/8966e4ee07400f16b92737161ca8df3cbfa37f91/noderedsh.py | Trust: 0.6 |
SOURCES
| db: | CNVD | id: | CNVD-2018-19316 |
LAST UPDATE DATE
2022-05-04T09:03:47.319000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2018-19316 | date: | 2018-09-19T00:00:00 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2018-19316 | date: | 2018-09-19T00:00:00 |