Compliance Impact

The vulnerability allows an attacker with specific internal knowledge to modify database records related to media files, causing partial data loss and integrity compromise. However, it does not disclose any confidential information or personal data. Given the low severity and the nature of the impact (no confidentiality breach, only low integrity impact), this vulnerability may pose a limited risk to compliance with standards like GDPR or HIPAA, which emphasize data confidentiality and integrity. Organizations relying on AzuraCast should consider the potential impact on data integrity and ensure proper access controls and patching to maintain compliance. [1]

Useful 0 Not Useful 0

Executive Summary

This vulnerability in AzuraCast version 0.23.1 involves an API endpoint that was intended only for internal use by the SFTP software sftpgo but was mistakenly exposed to the public-facing HTTP API. A user with specific internal knowledge, including a valid SFTP station username and the internal filesystem structure, can craft a custom HTTP request to modify the contents of a station's database without revealing internal information about the station. This issue is fixed in version 0.23.2.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows a malicious user who has certain internal knowledge to alter the contents of a station's database via the exposed API endpoint. This could lead to unauthorized modifications of data within the AzuraCast system, potentially disrupting operations or corrupting data.

Useful 0 Not Useful 0

Mitigation Strategies

Upgrade AzuraCast to version 0.23.2 or later, as this version fixes the vulnerability by removing the mistakenly exposed internal API endpoint.

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking if the internal API endpoint `/api/internal/sftp-event` is accessible from outside the localhost. One way to test this is by sending a crafted HTTP POST request to the endpoint and observing if it is accepted. For example, you can use the following curl command to test access locally or remotely (replace localhost with your server's IP if testing remotely): ```curl -s -X POST "http://localhost/api/internal/sftp-event" -H "Content-Type: application/json" -d '{ "action": "pre-delete", "username": "admin", "path": "/var/azuracast/stations/test/media/test.mp3" }'``` If this request is accepted externally (not just from localhost), your system is vulnerable. Additionally, you can scan your network or system for the presence of this endpoint being accessible externally. The patch restricts this endpoint to internal connections only, so if your version is older than 0.23.2 and the endpoint is reachable externally, the vulnerability exists. [1]

Useful 0 Not Useful 0