CVE-2021-44255: 
Python vulnerability analysis and mitigation

CVE-2021-44255 is an authenticated remote code execution vulnerability affecting MotionEye versions <= 0.42.1 and MotionEyeOS versions <= 20200606. The vulnerability was discovered in late 2021 and allows authenticated remote attackers to upload a configuration backup file containing a malicious Python pickle file, which can then execute arbitrary code on the server (NVD, CVE).

The vulnerability has a CVSS v3.1 base score of 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper handling of Python pickle deserialization when processing configuration backup files. An authenticated attacker can include a malicious tasks.pickle file in a configuration backup, which gets written to disk and loaded when the application restarts (PizzaPower Blog).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code with the privileges of the MotionEye server process. This could lead to complete system compromise, including the ability to access, modify, or delete data, install programs, and create new accounts with full user rights (NVD).

Users should upgrade to versions newer than MotionEye 0.42.1 or MotionEyeOS 20200606. Additionally, it is recommended to change default credentials, implement proper access controls, and avoid exposing MotionEye installations directly to the internet. Using a VPN for remote access is advised (PizzaPower Blog).