Lucene search

[email protected]CVE-2024-29026

HistoryMar 20, 2024 - 10:15 p.m.

CVE-2024-29026

2024-03-2022:15:08

CWE-352

CWE-697

[email protected]

web.nvd.nist.gov

owncast

cve-2024-29026

video streaming

chat server

cors policy

privilege information leak

security vulnerability

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.4 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.0%

JSON

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

Affected configurations

Vulners

Node

owncastowncastRange≤0.1.2

CNA Affected

[
  {
    "vendor": "owncast",
    "product": "owncast",
    "versions": [
      {
        "version": "<= 0.1.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32

github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624

securitylab.github.com/advisories/GHSL-2023-261_Owncast/

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.4 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.0%

JSON

Related for CVE-2024-29026

nvd1 osv1 cvelist1 veracode1