CVE-2024-52055: 
Wowza Streaming Engine vulnerability analysis and mitigation

CVE-2024-52055 is a path traversal vulnerability discovered in the Manager component of Wowza Streaming Engine versions below 4.9.1. The vulnerability was disclosed on November 20, 2024, and affects versions from 4.3.0 up to (but not including) 4.9.1. This security flaw allows an administrator user to read any file on the file system if the target directory contains an XML definition file (Rapid7 Blog).

The vulnerability has been assigned a CVSS v4.0 score of 8.2 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N. The vulnerability was tested and confirmed on both Ubuntu Linux 22.04.1 and Windows Server 2022 operating systems. It is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows an authenticated administrator to read any file on the file system, provided the target directory contains an XML definition file. This could potentially lead to unauthorized access to sensitive system files and information disclosure (Security Online).

The vulnerability has been patched in Wowza Streaming Engine version 4.9.1, released on November 20, 2024. Users are strongly advised to upgrade to this version or later to remediate the issue. Rapid7's InsightVM and Nexpose customers can assess their exposure to this vulnerability using authenticated vulnerability checks available since the November 20, 2024 content release (Wowza Release Notes).

Wowza Media Systems responded to the disclosure by stating, "We at Wowza Media Systems are focused on security excellence, and by partnering with trusted researchers like Rapid7, we proactively respond to and fix vulnerabilities to safeguard our customers' interests" (Rapid7 Blog).