Vulnerability Description
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wowza | Streaming Engine | <= 4.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-AuthenticExploitThird Party Advisory
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streamThird Party Advisory
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notesRelease NotesVendor Advisory
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-AuthenticExploitThird Party Advisory
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streamThird Party Advisory
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notesRelease NotesVendor Advisory
FAQ
What is CVE-2020-9004?
CVE-2020-9004 is a vulnerability with a CVSS score of 8.8 (HIGH). A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functio...
How severe is CVE-2020-9004?
CVE-2020-9004 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9004?
Check the references section above for vendor advisories and patch information. Affected products include: Wowza Streaming Engine.