CVE-2022-25568 – MotionEye v0.42.1 and below contains an informa... (How to Fix)

Q: What is the severity of CVE-2022-25568?

CVE-2022-25568 has a CVSS score of 7.5 (HIGH). MotionEye v0.42.1 and below contains an information disclosure vulnerability where attackers can access sensitive configuration data via unauthenticated GET requests to /config/list. This affects systems where regular user passwords are not configured, allowing unauthorized access to potentially sensitive system information.

📋 TL;DR

MotionEye v0.42.1 and below contains an information disclosure vulnerability where attackers can access sensitive configuration data via unauthenticated GET requests to /config/list. This affects systems where regular user passwords are not configured, allowing unauthorized access to potentially sensitive system information.

💻 Affected Systems

Products:

MotionEye

Versions: v0.42.1 and below

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability only exploitable when regular user password is not configured (default state in some installations).

📦 What is this software?

Motioneye by Motioneye Project

View all CVEs affecting Motioneye →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain full system configuration including credentials, API keys, network settings, and camera configurations, leading to complete system compromise and privacy violations.

🟠

Likely Case

Unauthorized users access sensitive configuration data including network settings, camera configurations, and potentially credentials stored in configuration files.

🟢

If Mitigated

With proper authentication configured, the vulnerability cannot be exploited as it requires unconfigured regular user passwords.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP GET request to vulnerable endpoint with no authentication required when regular user password is unconfigured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.42.2 and above

Vendor Advisory: https://github.com/ccrisan/motioneye/issues/2292

Restart Required: Yes

Instructions:

1. Update MotionEye to version 0.42.2 or later. 2. Restart the MotionEye service. 3. Verify the fix by checking that /config/list endpoint now requires authentication.

🔧 Temporary Workarounds

Configure Regular User Password

all

Set a password for regular users to prevent unauthenticated access to the vulnerable endpoint.

Edit motioneye.conf and set regular_user_password parameter

Web Server Access Control

linux

Configure web server (nginx/apache) to block access to /config/list endpoint.

Add location block for /config/list in web server configuration

🧯 If You Can't Patch

Configure strong authentication for all MotionEye users immediately
Implement network segmentation to restrict access to MotionEye web interface

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[motioneye-ip]:[port]/config/list without authentication. If configuration data is returned, system is vulnerable.

Check Version:

Check MotionEye web interface settings page or run: grep version /etc/motioneye/motioneye.conf

Verify Fix Applied:

After patching, attempt the same request. Should receive authentication prompt or error instead of configuration data.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /config/list endpoint from unauthorized IPs
Access logs showing successful 200 responses to /config/list without authentication

Network Indicators:

Unusual traffic patterns to /config/list endpoint
HTTP GET requests to /config/list from external IPs

SIEM Query:

source="motioneye.log" AND "GET /config/list" AND response=200

📊 Metadata

CVE ID: CVE-2022-25568

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-1188

Published: March 24, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/ccrisan/motioneye/issues/2292 Issue Tracking,Third Party Advisory
https://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/ Exploit,Third Party Advisory
https://github.com/ccrisan/motioneye/issues/2292 Issue Tracking,Third Party Advisory
https://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25568, you might also want to check these: