CVE-2021-39183 - OpenCVE

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Owncast Project	Owncast

Configuration 1 [-]

cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-14T20:05:12

Updated: 2021-12-14T20:05:12

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39183

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-14T20:15:07.490

Modified: 2021-12-20T20:38:47.083

Link: CVE-2021-39183

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "owncast", "vendor": "owncast", "versions": [{"status": "affected", "version": "< 0.0.9"}]}], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-14T20:05:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}], "source": {"advisory": "GHSA-2hfj-cxw7-g45p", "discovery": "UNKNOWN"}, "title": "Unsafe inline XSS Owncast", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39183", "STATE": "PUBLIC", "TITLE": "Unsafe inline XSS Owncast"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "owncast", "version": {"version_data": [{"version_value": "< 0.0.9"}]}}]}, "vendor_name": "owncast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p", "refsource": "CONFIRM", "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}]}, "source": {"advisory": "GHSA-2hfj-cxw7-g45p", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39183", "datePublished": "2021-12-14T20:05:12", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2021-12-14T20:05:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*", "matchCriteriaId": "07529BE1-AAF9-477D-986B-72F77DDE0529", "versionEndExcluding": "0.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player."}, {"lang": "es", "value": "Owncast es un servidor de chat y transmisi\u00f3n de v\u00eddeo en directo de c\u00f3digo abierto y autoalojado. En las versiones afectadas son ejecutados scripts en l\u00ednea cuando es analizado Javascript mediante una acci\u00f3n de pegado. Este problema est\u00e1 parcheado en la versi\u00f3n 0.0.9 al bloquear la pol\u00edtica de seguridad de contenidos unsafe-inline y la especificaci\u00f3n del script-src. Es requerido que el worker-src sea establecido como blob para el reproductor de v\u00eddeo"}], "id": "CVE-2021-39183", "lastModified": "2021-12-20T20:38:47.083", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-14T20:15:07.490", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/owncast/owncast/security/advisories/GHSA-2hfj-cxw7-g45p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}