CVE-2024-1965 - Vulnerability Details - OpenCVE

Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Haivision	Aviwest Manager Aviwest Streamhub Maanager Streamhub

Configuration 1 [-]

OR	cpe:2.3:a:haivision:maanager::::::::
	cpe:2.3:a:haivision:streamhub::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products

History

Thu, 10 Apr 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haivision maanager Haivision streamhub
CPEs		cpe:2.3:a:haivision:maanager:::::::: cpe:2.3:a:haivision:streamhub::::::::
Vendors & Products		Haivision maanager Haivision streamhub

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-02-28T12:19:55.059Z

Updated: 2024-08-02T17:08:02.850Z

Reserved: 2024-02-28T09:34:48.923Z

Link: CVE-2024-1965

Vulnrichment

Updated: 2024-08-02T17:06:05.779Z

NVD

Status : Analyzed

Published: 2024-02-28T13:15:07.987

Modified: 2025-04-10T19:26:56.720

Link: CVE-2024-1965

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1965", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-02-28T09:34:48.923Z", "datePublished": "2024-02-28T12:19:55.059Z", "dateUpdated": "2024-08-02T17:08:02.850Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Aviwest Manager", "vendor": "Haivision ", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Aviwest Streamhub", "vendor": "Haivision ", "versions": [{"status": "affected", "version": "all versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Konrad Kowal Karp"}], "datePublic": "2024-02-28T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users."}], "value": "Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-02-28T12:19:55.059Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products"}], "source": {"discovery": "UNKNOWN"}, "title": "Server-Side Request Forgery Vulnerability in Haivision Products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.638Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "haivision", "product": "aviwest_manager", "cpes": ["cpe:2.3:a:haivision:aviwest_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}, {"vendor": "haivision", "product": "aviwest_streamhub", "cpes": ["cpe:2.3:a:haivision:aviwest_streamhub:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T17:04:39.791306Z", "id": "CVE-2024-1965", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T17:08:02.850Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1965", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T17:04:39.791306Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:haivision:aviwest_manager:*:*:*:*:*:*:*:*"], "vendor": "haivision", "product": "aviwest_manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:haivision:aviwest_streamhub:*:*:*:*:*:*:*:*"], "vendor": "haivision", "product": "aviwest_streamhub", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-08-02T17:06:05.779Z"}}], "cna": {"title": "Server-Side Request Forgery Vulnerability in Haivision Products", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Konrad Kowal Karp"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Haivision ", "product": "Aviwest Manager", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Haivision ", "product": "Aviwest Streamhub", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "datePublic": "2024-02-28T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-02-28T12:19:55.059Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1965", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:56:22.638Z", "dateReserved": "2024-02-28T09:34:48.923Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-02-28T12:19:55.059Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haivision:maanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "919B2376-4F8F-4027-9E69-A9733D3B2930", "vulnerable": true}, {"criteria": "cpe:2.3:a:haivision:streamhub:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F7C8DC0-28A9-459B-9603-FD129EBBD050", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users."}, {"lang": "es", "value": "Vulnerabilidad de Server-Side Request Forgery en Aviwest Manager y Aviwest Steamhub de Haivision. Esta vulnerabilidad podr\u00eda permitir a un atacante enumerar la configuraci\u00f3n de red interna sin necesidad de credenciales. Un atacante podr\u00eda comprometer un servidor interno y recuperar solicitudes enviadas por otros usuarios."}], "id": "CVE-2024-1965", "lastModified": "2025-04-10T19:26:56.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-28T13:15:07.987", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}