7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.6%
SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS’s api-server
server is vulnerable to a drive-by command injection. An attacker may send a request to the /api/v1/snapshots
endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.
Vendor | Product | Version | CPE |
---|---|---|---|
ossrs | simple_realtime_server | * | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* |
ossrs | simple_realtime_server | * | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* |
ossrs | simple_realtime_server | * | cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:* |
[
{
"vendor": "ossrs",
"product": "srs",
"versions": [
{
"version": ">= 5.0.137, < 5.0.157",
"status": "affected"
},
{
"version": ">= 6.0.18, < 6.0.48",
"status": "affected"
},
{
"version": "< 5.0-b1",
"status": "affected"
}
]
}
]