GHSA-qxvg-h7q2-hcxh: motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
A multi‑stage chain in motionEye leads to remote code execution. The chain combines:
- Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths.
- Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes.
- Unsafe config restore that extracts attacker‑controlled tarballs into
CONF_PATH. - Unauthenticated action execution via
/action/<id>/<action>.
If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE.
References
Code Behaviors & Features
Detect and mitigate GHSA-qxvg-h7q2-hcxh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →