CVE-2022-25568: 
Python vulnerability analysis and mitigation

CVE-2022-25568 affects MotionEye version 0.42.1 and below, allowing attackers to access sensitive information via a GET request to /config/list. The vulnerability was discovered and disclosed on March 24, 2022. The issue exists when a regular user password is unconfigured, even if an admin password is set (NVD, AttackerKB).

The vulnerability allows unauthorized access to the /config/list endpoint which contains configuration information. The attack requires no authentication when the user password is not configured. The vulnerability has a CVSS v3.1 Base Score of 7.5 (High), with high confidentiality impact but no impact on integrity or availability. The attack vector is network-based, requires low complexity, and needs no privileges or user interaction (AttackerKB).

The exposed configuration file contains sensitive information including email addresses, passwords for various services such as FTP, SFTP, Gmail, Google Drive, Telegram, internal network IP addresses, URLs, and drive mounting information. This exposure could lead to unauthorized access to connected services and systems (PizzaPower).

To mitigate this vulnerability, administrators must ensure both admin and user passwords are configured, especially if the MotionEye instance is exposed to the internet. This is particularly important if the configuration contains sensitive information like credentials for upload services (PizzaPower).