CVE-2023-36177

Опубликовано: 23 янв. 2024

Источник: debian

Описание

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
snapcast	fixed	0.30.0-1		package

Примечания

Introduced with: https://github.com/badaix/snapcast/commit/b26d8929505a30bb6177bd1b905f13eace1530dc (v0.16.0)
Fixed by: https://github.com/badaix/snapcast/commit/9e6009cad0ef6e2e88f64a1b2504eb4749af287f (v0.30.0)
Follow-up: https://github.com/badaix/snapcast/pull/1331 (re-adds Stream.AddStream)
https://oxnan.com/posts/Snapcast_jsonrpc_rce

Связанные уязвимости

CVE-2023-36177

CVSS3: 9.8

ubuntu

около 2 лет назад

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

CVE-2023-36177

CVSS3: 9.8

nvd

около 2 лет назад

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

GHSA-hgrc-r3ff-wxfq

CVSS3: 9.8

github

около 2 лет назад

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.