CVE-2021-35492

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

Wowza Streaming Engine versiones hasta 4.8.11+5, podría permitir a un atacante remoto autenticado agotar los recursos del sistema de archivos por medio del parámetro vhost /enginemanager/server/vhost/historical.jsdata. Esto es debido a una administración insuficiente de los recursos disponibles del sistema de archivos. Un atacante podría explotar esta vulnerabilidad mediante la sección de monitorización de hosts virtuales al solicitar datos históricos de hosts virtuales al azar y agotando los recursos disponibles del sistema de archivos. Una explotación con éxito podría permitir al atacante causar errores en la base de datos y causar que el dispositivo no responda a la administración basada en la web. (Es requerida la intervención manual para liberar los recursos del sistema de archivos y devolver la aplicación a un estado operativo)

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-06-24 CVE Reserved
2021-10-05 CVE Published
2021-10-06 First Exploit
2024-08-04 CVE Updated
2024-09-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (4)

URL	Tag	Source
https://n4nj0.github.io/advisories/wowza-streaming-engine-i	Third Party Advisory

URL	Date	SRC
https://github.com/N4nj0/CVE-2021-35492	2021-10-06
https://www.gruppotim.it/redteam	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes	2022-07-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wowza Search vendor "Wowza"		Streaming Engine Search vendor "Wowza" for product "Streaming Engine"				<= 4.8.11 Search vendor "Wowza" for product "Streaming Engine" and version " <= 4.8.11"		-		Affected