{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-44331", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-23T17:53:36.023Z", "dateReserved": "2024-08-21T00:00:00", "datePublished": "2024-10-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-22T21:27:03.606228"}, "descriptions": [{"lang": "en", "value": "Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/dqp10515/security/tree/main/gst-rtsp-server_bug/bug1"}, {"url": "https://gist.github.com/dqp10515/c6a8879bebe92d8c74f7c52667fd3400"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "affected": [{"vendor": "gstreamer_project", "product": "gst-rtsp-server", "cpes": ["cpe:2.3:a:gstreamer_project:gst-rtsp-server:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.25.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T17:43:25.396828Z", "id": "CVE-2024-44331", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T17:53:36.023Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-44331", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-23T17:43:25.396828Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gstreamer_project:gst-rtsp-server:*:*:*:*:*:*:*:*"], "vendor": "gstreamer_project", "product": "gst-rtsp-server", "versions": [{"status": "affected", "version": "1.25.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T17:53:30.402Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/dqp10515/security/tree/main/gst-rtsp-server_bug/bug1"}, {"url": "https://gist.github.com/dqp10515/c6a8879bebe92d8c74f7c52667fd3400"}], "descriptions": [{"lang": "en", "value": "Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-22T21:27:03.606228"}}}, "cveMetadata": {"cveId": "CVE-2024-44331", "state": "PUBLISHED", "dateUpdated": "2024-10-23T17:53:36.023Z", "dateReserved": "2024-08-21T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-10-22T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests."}, {"lang": "es", "value": " El control de acceso incorrecto en el servidor RTSP de GStreamer 1.25.0 en gst-rtsp-server/rtsp-media.c permite a atacantes remotos provocar una denegaci\u00f3n de servicio a trav\u00e9s de una serie de solicitudes hexstream especialmente manipuladas."}], "id": "CVE-2024-44331", "lastModified": "2024-10-23T18:35:02.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-22T22:15:05.463", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/dqp10515/c6a8879bebe92d8c74f7c52667fd3400"}, {"source": "cve@mitre.org", "url": "https://github.com/dqp10515/security/tree/main/gst-rtsp-server_bug/bug1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "gstreamer1-rtsp-server: DoS via rtsp-media.c", "id": "2321467", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321467"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests.", "A flaw was found in GStreamer RTSP server. In certain versions, specially-crafted requests may trigger an assertion failure in the server, which can lead to a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-44331", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gstreamer1-rtsp-server", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-44331\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-44331\nhttps://gist.github.com/dqp10515/c6a8879bebe92d8c74f7c52667fd3400\nhttps://github.com/dqp10515/security/tree/main/gst-rtsp-server_bug/bug1"], "statement": "This vulnerability in the GStreamer RTSP server is classified as moderate rather than important because, while it can cause a denial of service (DoS), it does not allow remote code execution, privilege escalation, or data exposure. The flaw relies on sending specially crafted hexstream requests to disrupt the service, which may affect availability but does not compromise the integrity or confidentiality of the system. Moreover, the impact is limited to crashing or temporarily disrupting the RTSP server, with no lasting damage or persistent effects once the server is restarted. \nIt's important to note that this vulnerability does not impact any Red Hat products, indicating that Red Hat's software stack is unaffected by this specific CVE.", "threat_severity": "Important"}