GitHub_MCVELIST:CVE-2023-34105CVE-2023-34105 SRS has command injection vulnerability in demonstration api-server for HTTP callback.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.5%
SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS’s api-server server is vulnerable to a drive-by command injection. An attacker may send a request to the /api/v1/snapshots endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.
CNA Affected
[
{
"vendor": "ossrs",
"product": "srs",
"versions": [
{
"version": ">= 5.0.137, < 5.0.157",
"status": "affected"
},
{
"version": ">= 6.0.18, < 6.0.48",
"status": "affected"
},
{
"version": "< 5.0-b1",
"status": "affected"
}
]
}
]Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.5%