CVE-2021-35492: 
Wowza Streaming Engine vulnerability analysis and mitigation

Wowza Streaming Engine through version 4.8.11+5 contains a vulnerability that could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This vulnerability exists due to insufficient management of available filesystem resources. The vulnerability was discovered in 2021 and assigned CVE-2021-35492 (NVD, Advisory).

The vulnerability is caused by improper resource management in the Virtual Host Monitoring section. When a non-existing virtual host is requested through the vhost parameter, a 280 KB file is created on the filesystem. By randomly choosing different virtual host names, an attacker can repeatedly trigger file creation, leading to filesystem resource exhaustion. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

A successful exploit could allow the attacker to cause database errors and make the device unresponsive to web-based management. The attack can create approximately 5.5 GB of files every 30 minutes, eventually exhausting available filesystem resources. Manual intervention is required to free filesystem resources and return the application to an operational state (Advisory).

The vulnerability was fixed in Wowza Streaming Engine version 4.8.14+9 released on July 20, 2021. Users are advised to upgrade to this or a later version to address the vulnerability (Release Notes).