Vulnerability Details CVE-2020-9004
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 71.7%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-Authenticated%20Remote%20Authorization%20Bypass%20Leading%20to%20RCE-Wowza
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2020-9004.txt
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-Authenticated%20Remote%20Authorization%20Bypass%20Leading%20to%20RCE-Wowza
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2020-9004.txt
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes
Products affected by CVE-2020-9004
-
cpe:2.3:a:wowza:streaming_engine:4.0.0
-
cpe:2.3:a:wowza:streaming_engine:4.0.1
-
cpe:2.3:a:wowza:streaming_engine:4.0.3
-
cpe:2.3:a:wowza:streaming_engine:4.0.4
-
cpe:2.3:a:wowza:streaming_engine:4.0.5
-
cpe:2.3:a:wowza:streaming_engine:4.0.6
-
cpe:2.3:a:wowza:streaming_engine:4.1.0
-
cpe:2.3:a:wowza:streaming_engine:4.1.1
-
cpe:2.3:a:wowza:streaming_engine:4.1.2
-
cpe:2.3:a:wowza:streaming_engine:4.2.0
-
cpe:2.3:a:wowza:streaming_engine:4.3.0
-
cpe:2.3:a:wowza:streaming_engine:4.4.0
-
cpe:2.3:a:wowza:streaming_engine:4.4.1
-
cpe:2.3:a:wowza:streaming_engine:4.5.0
-
cpe:2.3:a:wowza:streaming_engine:4.6.0
-
cpe:2.3:a:wowza:streaming_engine:4.7.0
-
cpe:2.3:a:wowza:streaming_engine:4.7.1
-
cpe:2.3:a:wowza:streaming_engine:4.7.3
-
cpe:2.3:a:wowza:streaming_engine:4.7.4
-
cpe:2.3:a:wowza:streaming_engine:4.7.4.0.1
-
cpe:2.3:a:wowza:streaming_engine:4.7.5
-
cpe:2.3:a:wowza:streaming_engine:4.7.6
-
cpe:2.3:a:wowza:streaming_engine:4.7.7
-
cpe:2.3:a:wowza:streaming_engine:4.7.8
-
cpe:2.3:a:wowza:streaming_engine:4.8.0