5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.03 Low
EPSS
Percentile
90.9%
Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE
requests containing overly large User-Agent fields. This could allow an unauthenticated, remote attacker to cause a denial-of-service condition.
Apple’s QuickTime and Darwin Streaming Server is software which provides integrated distribution of various forms of digital content. Such content can be delivered over a network using Real-Time Transport Protocol (RTP) and Real-Time Streaming Protocol (RTSP).
The RTSP provides a DESCRIBE
method which according to RFC 2326 “retrieves the description of a presentation or media object identified by the request URL from a server. It may use the Accept header to specify the description formats that the client understands. The server responds with a description of the requested resource. The DESCRIBE
reply-response pair constitutes the media initialization phase of RTSP.”
There is a vulnerability in the way the Quicktime/Darwin Streaming Server parses DESCRIBE
requests containing specially crafted User-Agent fields. An attacker could exploit this vulnerability by sending a DESCRIBE
request containing an overly large User-Agent field.
An unauthenticated, remote attacker could prevent legitimate users from accessing the streamed content.
Apply Patch
Apple has released a patch to address this vulnerability. For further details, please see the Apple Security Advisory (Security Update 2004-02-23).
460350
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 25, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please refer to the Apple Security Advisory.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23460350 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by iDefense.
This document was written by Damon Morda.
CVE IDs: | CVE-2004-0169 |
---|---|
Severity Metric: | 1.68 Date Public: |