CVE-2021-32644

2021-06-22T18:15:00

Description

Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.

Affected Software

CPE Name	Name	Version
ampache:ampache	ampache	4.4.2

{"id": "CVE-2021-32644", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-32644", "description": "Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.", "published": "2021-06-22T18:15:00", "modified": "2021-06-29T16:02:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5}, "severity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32644", "reporter": "security-advisories@github.com", "references": ["https://github.com/ampache/ampache/security/advisories/GHSA-vqpj-xgw2-r54q", "https://github.com/ampache/ampache/commit/c9453841e1b517a1660c3da1efd1fe5d623c93a5"], "cvelist": ["CVE-2021-32644"], "immutableFields": [], "lastseen": "2022-03-23T18:30:46", "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0705"]}, {"type": "githubexploit", "idList": ["C06724A3-3997-554F-9133-DEDF1609D0B7"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-32644"]}], "rev": 4}, "score": {"value": 4.3, "vector": "NONE"}, "twitter": {"counter": 8, "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1409947493400559621", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-32644 (ampache)) has been published on https://t.co/vAUJmBAFtA?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1409947505886908420", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-32644 (ampache)) has been published on https://t.co/jS9BENKV9t?amp=1"}, {"link": "https://twitter.com/SecRiskRptSME/status/1407603453573148672", "text": "RT:\n\nCVE-2021-32644 Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication t... https://t.co/2vlHdCdVCN?amp=1\n\n\u2014 CV\u2026"}, {"link": "https://twitter.com/SecRiskRptSME/status/1407603453573148672", "text": "RT:\n\nCVE-2021-32644 Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication t... https://t.co/2vlHdCdVCN?amp=1\n\n\u2014 CV\u2026"}, {"link": "https://twitter.com/eyeTSystems/status/1407602425096200192", "text": "CVE-2021-32644 Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication t... https://t.co/YI5VUiO2Hn?amp=1"}, {"link": "https://twitter.com/eyeTSystems/status/1407602425096200192", "text": "CVE-2021-32644 Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication t... https://t.co/YI5VUiO2Hn?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1426365634150031363", "text": "CVE-2021-32644\n\nAmpache is an open source web based audio/video streaming applica...\n\nhttps://t.co/qw5lSPmpgF?amp=1\n\nVulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x?amp=1"}, {"link": "https://twitter.com/Securityblog/status/1427184285547745283", "text": "GitHub - dnr6419/CVE-2021-32644: Ampache XSS"}], "modified": "2021-06-30T07:45:25"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0705"]}, {"type": "githubexploit", "idList": ["C06724A3-3997-554F-9133-DEDF1609D0B7"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-32644"]}]}, "exploitation": null, "vulnersScore": 4.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "score": 6.4}}}, "cpe": ["cpe:/a:ampache:ampache:4.4.2"], "cpe23": ["cpe:2.3:a:ampache:ampache:4.4.2:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "ampache:ampache", "version": "4.4.2", "operator": "eq", "name": "ampache"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:ampache:ampache:4.4.2:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/ampache/ampache/security/advisories/GHSA-vqpj-xgw2-r54q", "name": "https://github.com/ampache/ampache/security/advisories/GHSA-vqpj-xgw2-r54q", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ampache/ampache/commit/c9453841e1b517a1660c3da1efd1fe5d623c93a5", "name": "https://github.com/ampache/ampache/commit/c9453841e1b517a1660c3da1efd1fe5d623c93a5", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}]}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:46", "description": "A cross site scripting vulnerability exists in Ampache. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-09-29T00:00:00", "type": "checkpoint_advisories", "title": "Ampache Cross Site Scripting (CVE-2021-32644)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32644"], "modified": "2021-09-29T00:00:00", "id": "CPAI-2021-0705", "href": "", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:20:31", "description": "Ampache is an open source web based audio/video streaming application and\nfile manager. Due to a lack of input filtering versions 4.x.y are\nvulnerable to code injection in random.php. The attack requires user\nauthentication to access the random.php page unless the site is running in\ndemo mode. This issue has been resolved in 4.4.3.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-06-22T00:00:00", "type": "ubuntucve", "title": "CVE-2021-32644", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32644"], "modified": "2021-06-22T00:00:00", "id": "UB:CVE-2021-32644", "href": "https://ubuntu.com/security/CVE-2021-32644", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "githubexploit": [{"lastseen": "2021-12-10T15:32:13", "description": "# CVE-2021-32644\n\uc704 \ucde8\uc57d\uc810\uc740 Ampache 4.4.3 \uc774\uc804 \ubc84\uc804\uae4c\uc9c0 \uc601\ud5a5\uc744 \uc8fc\uc5c8\ub358 XSS \ucde8\uc57d\uc810\uc785\ub2c8\ub2e4...", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-08-14T01:50:32", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Ampache", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32644"], "modified": "2021-11-03T06:08:02", "id": "C06724A3-3997-554F-9133-DEDF1609D0B7", "href": "", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "privateArea": 1}]}

CVE-2021-32644

Description

Affected Software

Related