Skip to content

x/vulndb: potential Go vuln in github.com/ossrs/srs: CVE-2023-34105 #1854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Jun 12, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/ossrs/srs: CVE-2023-34105 #1854

GoVulnBot opened this issue Jun 12, 2023 · 2 comments
Assignees
@neild
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2023-34105 references github.com/ossrs/srs, which may be a Go module.

Description:
SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's api-server server is vulnerable to a drive-by command injection. An attacker may send a request to the /api/v1/snapshots endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ossrs/srs
      packages:
        - package: srs
description: |
    SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's `api-server` server is vulnerable to a drive-by command injection. An attacker may send a request to the `/api/v1/snapshots` endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.
cves:
    - CVE-2023-34105
references:
    - advisory: https://github.com/ossrs/srs/security/advisories/GHSA-vpr5-779c-cx62
    - fix: https://github.com/ossrs/srs/commit/1d878c2daaf913ad01c6d0bc2f247116c8050338
    - web: https://github.com/ossrs/srs/blob/1d11d02e4b82fc3f37e4b048cff483b1581482c1/trunk/research/api-server/server.go#L761
@neild neild self-assigned this Jun 14, 2023
@neild neild added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Jun 14, 2023
@neild
Copy link
Contributor

neild commented Jun 14, 2023

Vulnerability in package main.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Apr 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot