Lucene search

GitHub Advisory DatabaseGHSA-V99W-R56H-G23V

HistoryAug 05, 2024 - 9:29 p.m.

Owncast Cross-Site Request Forgery vulnerability

2024-08-0521:29:23

CWE-352

GitHub Advisory Database

github.com

owncast

cross-site request forgery

vulnerability

cors policy

cross origin request

admin password

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

6.4

Confidence

High

JSON

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

Affected configurations

Vulners

Node

owncastowncastRange≤0.1.2

VendorProductVersionCPE
owncastowncast*cpe:2.3:a:owncast:owncast:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
owncast	owncast	*	cpe:2.3:a:owncast:owncast::::::::

References

github.com/advisories/GHSA-v99w-r56h-g23v

github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32

github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624

nvd.nist.gov/vuln/detail/CVE-2024-29026

securitylab.github.com/advisories/GHSL-2023-261_Owncast

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

6.4

Confidence

High

JSON

Related for GHSA-V99W-R56H-G23V