CVE-2021-35492 - Vulnerability Details - OpenCVE

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.12981.

Key SSVC decision points have not yet been added.

Vendors	Products
Wowza	Streaming Engine

Configuration 1 [-]

cpe:2.3:a:wowza:streaming_engine:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://n4nj0.github.io/advisories/wowza-streaming-engine-i/
https://www.gruppotim.it/redteam
https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-10-05T15:12:22

Updated: 2024-08-04T00:40:46.577Z

Reserved: 2021-06-24T00:00:00

Link: CVE-2021-35492

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-05T16:15:07.497

Modified: 2024-11-21T06:12:22.410

Link: CVE-2021-35492

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-08T15:01:51", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.gruppotim.it/redteam"}, {"tags": ["x_refsource_MISC"], "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes"}, {"tags": ["x_refsource_MISC"], "url": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-35492", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.gruppotim.it/redteam", "refsource": "MISC", "url": "https://www.gruppotim.it/redteam"}, {"name": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes", "refsource": "MISC", "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes"}, {"name": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/", "refsource": "MISC", "url": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:40:46.577Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gruppotim.it/redteam"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-35492", "datePublished": "2021-10-05T15:12:22", "dateReserved": "2021-06-24T00:00:00", "dateUpdated": "2024-08-04T00:40:46.577Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wowza:streaming_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D284460-1EF4-4BBA-80DA-4012AE9B769E", "versionEndIncluding": "4.8.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)"}, {"lang": "es", "value": "Wowza Streaming Engine versiones hasta 4.8.11+5, podr\u00eda permitir a un atacante remoto autenticado agotar los recursos del sistema de archivos por medio del par\u00e1metro vhost /enginemanager/server/vhost/historical.jsdata. Esto es debido a una administraci\u00f3n insuficiente de los recursos disponibles del sistema de archivos. Un atacante podr\u00eda explotar esta vulnerabilidad mediante la secci\u00f3n de monitorizaci\u00f3n de hosts virtuales al solicitar datos hist\u00f3ricos de hosts virtuales al azar y agotando los recursos disponibles del sistema de archivos. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante causar errores en la base de datos y causar que el dispositivo no responda a la administraci\u00f3n basada en la web. (Es requerida la intervenci\u00f3n manual para liberar los recursos del sistema de archivos y devolver la aplicaci\u00f3n a un estado operativo)"}], "id": "CVE-2021-35492", "lastModified": "2024-11-21T06:12:22.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-05T16:15:07.497", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.gruppotim.it/redteam"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://n4nj0.github.io/advisories/wowza-streaming-engine-i/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.gruppotim.it/redteam"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}