CVE-2011-4612
published 2012-11-20CVE-2011-4612: icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.
PriorityP418medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
2.20%
80.3th percentile
icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icecast2 | < icecast2 2.3.3-1 (bookworm) | icecast2 2.3.3-1 (bookworm) |
| xiph | icecast | <= 2.3.2 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66c2-mp25-238j: icecast before 2
ghsa_unreviewed·2022-05-13
CVE-2011-4612 [MEDIUM] CWE-20 GHSA-66c2-mp25-238j: icecast before 2
icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.
OSV
CVE-2011-4612: icecast before 2
osv·2012-11-20·CVSS 5.0
CVE-2011-4612 [MEDIUM] CVE-2011-4612: icecast before 2
icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.
Debian
CVE-2011-4612: icecast2 - icecast before 2.3.3 allows remote attackers to inject control characters such a...
vendor_debian·2011·CVSS 5.0
CVE-2011-4612 [MEDIUM] CVE-2011-4612: icecast2 - icecast before 2.3.3 allows remote attackers to inject control characters such a...
icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.
Scope: local
bookworm: resolved (fixed in 2.3.3-1)
bullseye: resolved (fixed in 2.3.3-1)
forky: resolved (fixed in 2.3.3-1)
sid: resolved (fixed in 2.3.3-1)
trixie: resolved (fixed in 2.3.3-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-4612 icecast2: Newline injection in error.log [fedora-all]
bugzilla·2011-12-15·CVSS 5.0
CVE-2011-4612 [MEDIUM] CVE-2011-4612 icecast2: Newline injection in error.log [fedora-all]
CVE-2011-4612 icecast2: Newline injection in error.log [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=76
Bugzilla
CVE-2011-4612 icecast2: Newline injection in error.log [epel-5]
bugzilla·2011-12-15·CVSS 5.0
CVE-2011-4612 [MEDIUM] CVE-2011-4612 icecast2: Newline injection in error.log [epel-5]
CVE-2011-4612 icecast2: Newline injection in error.log [epel-5]
epel-5 tracking bug for icecast: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
"This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs."
Except... well... this bug is public. And judging from the history on the bug report, it was filed public.
Correct me if I'm wrong please, but it appears there is a 6 month old public security issue in icecast binaries in EPEL, which have no official rpm updates?
icecast 2.3.3 was just released that fixes this issue, please issue a security update soon.
Thanks in advance.
Bugzilla
CVE-2011-4612 icecast2: Newline injection in error.log
bugzilla·2011-12-15·CVSS 5.0
CVE-2011-4612 [MEDIUM] CVE-2011-4612 icecast2: Newline injection in error.log
CVE-2011-4612 icecast2: Newline injection in error.log
A security bug was reported by Moritz Naumann against icecast in
Ubuntu. You are being emailed as the upstream contact. Please keep
[email protected][1] CC'd for any updates on this issue.
This issue should be considered public and has not yet been assigned a
CVE.
Details from the public bug follow:
https://launchpad.net/bugs/894782
From the reporter:
"Newline injection in error.log
Running this command against an icecast2 running on 127.0.0.1...
echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20fserve/fserve_client_create%20req%20for%20file%
20"'"'"/usr/share/icecast2/web/ HTTP/
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090668.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090695.htmlhttp://www.icecast.org/https://bugzilla.redhat.com/show_bug.cgi?id=768176http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090668.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090695.htmlhttp://www.icecast.org/https://bugzilla.redhat.com/show_bug.cgi?id=768176
2012-11-20
Published