Description

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access.

Severity

 

CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score:  N/A

NVD assessment not yet provided.

CNA:  GitHub, Inc.

Base Score:  8.8 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings. A CNA provided score within the CVE List has been displayed.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/AlexxIT/go2rtc/commit/8793c3636493c5efdda08f3b5ed5c6e1ea594fd9
https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-352	Cross-Site Request Forgery (CSRF)	GitHub, Inc.

Change History

1 change records found show changes

New CVE Received by NIST 4/04/2024 2:15:14 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Added	CWE		GitHub, Inc. CWE-352
Added	Description		Record truncated, showing 500 of 911 characters. View Entire Change Record gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "
Added	Reference		GitHub, Inc. https://github.com/AlexxIT/go2rtc/commit/8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 [No types assigned]
Added	Reference		GitHub, Inc. https://securitylab.github.com/advisories/GHSL-2023-205_GHSL-2023-207_go2rtc/ [No types assigned]