CVE-2021-35492

moderate-risk

Published 2021-10-05

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

Do I need to act?

13.0% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Streaming Engine

Affected Vendors

Wowza

References (6)

Third Party Advisory https://n4nj0.github.io/advisories/wowza-streaming-engine-i/

Exploit https://www.gruppotim.it/redteam

Release Notes https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes

Third Party Advisory https://n4nj0.github.io/advisories/wowza-streaming-engine-i/

Exploit https://www.gruppotim.it/redteam

Release Notes https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 12/34 · Low

Exposure 5/34 · Minimal