Security News > 2023 > July > Owncast, EaseProbe security vulnerabilities revealed

Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk.

The vulnerabilities were discovered in Owncast and EaseProbe, two open-source platforms written in Go. Owncast vulnerability.

The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go. CVE-2023-3188, labeled as an Unauthenticated Blind Server-Side Request Forgery, could potentially allow unauthenticated attackers to exploit the Owncast server by forcing the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method.

Oxeye has also discovered multiple SQL-injection vulnerabilities in EaseProbe, a lightweight and standalone health/status-checking tool written in Go. The vulnerabilities, categorized as Config-Based SQL-Injection, expose potential security risks for users of EaseProbe with a Critical NIST CVSS Security Score of 9.8/10. These vulnerabilities can be exploited by attackers who control the EaseProbe configuration, enabling them to read, delete, or modify all information stored in the databases configured for health checking.

Properly sanitize all user input to prevent SQL-injection vulnerabilities.

Ensure the application is regularly updated and patched to address any known vulnerabilities, as this can effectively mitigate the risk of exploitation.

News URL

https://www.helpnetsecurity.com/2023/07/11/cve-2023-3188-cve-2023-33967/