Lucene search

GitHub_MCVELIST:CVE-2024-29026

HistoryMar 20, 2024 - 9:55 p.m.

CVE-2024-29026 Owncast cross origin request

2024-03-2021:55:22

CWE-697

CWE-352

GitHub_M

www.cve.org

owncast

cross origin request

vulnerability

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

27.8%

JSON

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

CNA Affected

[
  {
    "vendor": "owncast",
    "product": "owncast",
    "versions": [
      {
        "version": "<= 0.1.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32

github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624

securitylab.github.com/advisories/GHSL-2023-261_Owncast/

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

27.8%

JSON

Related for CVELIST:CVE-2024-29026