CVE-2024-29026

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
GitHub_MCNA
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
owncast_projectowncast
𝑥
≤ 0.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/