CVE-2015-3026 - Vulnerability Details - OpenCVE

Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Opensuse	Opensuse
Xiph	Icecast

Configuration 1 [-]

cpe:2.3:a:xiph:icecast:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*

No data.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html
http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html
http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html
http://www.debian.org/security/2015/dsa-3239
http://www.openwall.com/lists/oss-security/2015/04/08/11
http://www.openwall.com/lists/oss-security/2015/04/08/8
http://www.securityfocus.com/bid/73965
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
https://security.gentoo.org/glsa/201508-03
https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server
https://trac.xiph.org/ticket/2191

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-04-29T20:00:00

Updated: 2024-08-06T05:32:21.286Z

Reserved: 2015-04-08T00:00:00

Link: CVE-2015-3026

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-04-29T20:59:02.123

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-3026

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-08T00:00:00", "descriptions": [{"lang": "en", "value": "Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to \"admin/killsource?mount=/test.ogg.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "FEDORA-2015-13077", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html"}, {"name": "FEDORA-2015-13106", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html"}, {"name": "openSUSE-SU-2015:0728", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html"}, {"name": "GLSA-201508-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201508-03"}, {"name": "FEDORA-2015-13083", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html"}, {"name": "[Icecast-dev] 20150408 Icecast 2.4.2 - security release", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://trac.xiph.org/ticket/2191"}, {"name": "[oss-security] 20150408 CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/8"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120"}, {"name": "73965", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/73965"}, {"name": "DSA-3239", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3239"}, {"name": "[oss-security] 20150408 Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/11"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to \"admin/killsource?mount=/test.ogg.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2015-13077", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html"}, {"name": "FEDORA-2015-13106", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html"}, {"name": "openSUSE-SU-2015:0728", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html"}, {"name": "GLSA-201508-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201508-03"}, {"name": "FEDORA-2015-13083", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html"}, {"name": "[Icecast-dev] 20150408 Icecast 2.4.2 - security release", "refsource": "MLIST", "url": "http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html"}, {"name": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server", "refsource": "CONFIRM", "url": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server"}, {"name": "https://trac.xiph.org/ticket/2191", "refsource": "CONFIRM", "url": "https://trac.xiph.org/ticket/2191"}, {"name": "[oss-security] 20150408 CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/08/8"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120", "refsource": "CONFIRM", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120"}, {"name": "73965", "refsource": "BID", "url": "http://www.securityfocus.com/bid/73965"}, {"name": "DSA-3239", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3239"}, {"name": "[oss-security] 20150408 Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/08/11"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:32:21.286Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2015-13077", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html"}, {"name": "FEDORA-2015-13106", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html"}, {"name": "openSUSE-SU-2015:0728", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html"}, {"name": "GLSA-201508-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201508-03"}, {"name": "FEDORA-2015-13083", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html"}, {"name": "[Icecast-dev] 20150408 Icecast 2.4.2 - security release", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://trac.xiph.org/ticket/2191"}, {"name": "[oss-security] 20150408 CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120"}, {"name": "73965", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/73965"}, {"name": "DSA-3239", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3239"}, {"name": "[oss-security] 20150408 Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/11"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3026", "datePublished": "2015-04-29T20:00:00", "dateReserved": "2015-04-08T00:00:00", "dateUpdated": "2024-08-06T05:32:21.286Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xiph:icecast:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A8A6D47-D229-49F4-980C-73670C3303B3", "versionEndIncluding": "2.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to \"admin/killsource?mount=/test.ogg.\""}, {"lang": "es", "value": "Icecast anterior a 2.4.2, cuando un manejador stream_auth est\u00e1 definido para la autenticaci\u00f3n de URLs, permite a atacantes remotos causar una denegaci\u00f3n de servicio (referencia a puntero nulo y ca\u00edda) a trav\u00e9s de una solicitud sin las credenciales de inicio de sesi\u00f3n, tal y como fue demostrado por una solicitud a 'admin/killsource?mount=/test.ogg.'"}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/476.html\">CWE-476: NULL Pointer Dereference</a>", "id": "CVE-2015-3026", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-04-29T20:59:02.123", "references": [{"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3239"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/11"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/8"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/73965"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201508-03"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://trac.xiph.org/ticket/2191"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3239"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/04/08/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/73965"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201508-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://trac.xiph.org/ticket/2191"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}