Multiple vulnerabilities in Wowza Streaming Engine

Published: 2021-04-27

Risk	Low
Patch available	NO
Number of vulnerabilities	2
CVE-ID	CVE-2021-31539 CVE-2021-31540
CWE-ID	CWE-312 CWE-264
Exploitation vector	Local
Public exploit	N/A
Vulnerable software Subscribe	Wowza Streaming Engine Server applications / Other server solutions
Vendor	Wowza Media Systems

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cleartext storage of sensitive information

EUVDB-ID: #VU52649

Risk: Low

CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2021-31539

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the storage of user credentials in plain-text in the conf/admin.password file. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wowza Streaming Engine: 4.8.5

External links

http://www.gruppotim.it/redteam
http://www.wowza.com/products/streaming-engine

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU52650

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-31540

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls