CVE-2020-9004: 
Wowza Streaming Engine vulnerability analysis and mitigation

A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This vulnerability was discovered and fixed in Wowza Streaming Engine 4.8.5 (Wowza Release Notes, NVD).

The vulnerability is classified as an authorization bypass (CWE-306) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue allows authenticated users with read-only permissions to perform administrative actions through unauthorized POST requests to the administration panel. A specific example involves activating the Java JMX port in unauthenticated mode, which can then be leveraged to execute operating system commands with root privileges (Wowza CVE).

The vulnerability enables read-only users to gain administrative privileges and execute operating system commands with root-level access. This represents a significant privilege escalation that could lead to complete system compromise, as attackers can bypass intended access controls and execute arbitrary commands with the highest system privileges (DrunkenShells).

The vulnerability has been fixed in Wowza Streaming Engine version 4.8.5. Users are strongly advised to upgrade to this version or later to address the security issue (Wowza Release Notes).