Wiz
Vulnerability DatabaseCVE-2021-31539

CVE-2021-31539
Wowza Streaming Engine vulnerability analysis and mitigation

Overview

Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords (CISA, NIST).

Technical details

The vulnerability exists due to improper storage of authentication credentials in plaintext format within the conf/admin.password file. In the default installation configuration, the file permissions allow regular local users to read the contents of configuration files in the conf/ directory, including the admin.password file that contains usernames and passwords (CISA).

Impact

The vulnerability allows local users to obtain administrative credentials stored in cleartext, potentially leading to unauthorized access to administrative functions and elevated privileges within the Wowza Streaming Engine system (CISA).

Mitigation and workarounds

This vulnerability was fixed in Wowza Streaming Engine version 4.8.8.01, which introduced security improvements related to password storage. The update provides options to encode passwords using Bcrypt or digest hash functions and includes a command-line tool for user management. The Linux installer also updates permissions on several directories (Wowza Docs).

Additional resources

SourceThis report was generated using AI

Related Wowza Streaming Engine vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-52052CRITICAL9.4
  • Wowza Streaming EngineWowza Streaming Engine
  • cpe:2.3:a:wowza:streaming_engine
NoYesNov 21, 2024
CVE-2024-52053HIGH8.7
  • Wowza Streaming EngineWowza Streaming Engine
  • cpe:2.3:a:wowza:streaming_engine
NoYesNov 21, 2024
CVE-2024-52055HIGH8.2
  • Wowza Streaming EngineWowza Streaming Engine
  • cpe:2.3:a:wowza:streaming_engine
NoYesNov 21, 2024
CVE-2024-52056MEDIUM6.9
  • Wowza Streaming EngineWowza Streaming Engine
  • cpe:2.3:a:wowza:streaming_engine
NoYesNov 21, 2024
CVE-2024-52054MEDIUM5.1
  • Wowza Streaming EngineWowza Streaming Engine
  • cpe:2.3:a:wowza:streaming_engine
NoYesNov 21, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo