cbcvebase.
CVE-2018-19365
published 2019-03-21

CVE-2018-19365: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP…

PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.86%
97.4th percentile
The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
wowzastreaming_engine

Detection & IOCsextracted from sources · hover to see the quote

url/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine
path/enginemanager/server/logs/download
  • Look for HTTP GET requests targeting the Wowza REST API endpoint /enginemanager/server/logs/download with path traversal sequences (../../../../) in the logName parameter
  • A successful exploitation returns HTTP 200 with /etc/passwd content matching root:.*:0:0: in the response body
  • Shodan query can be used to identify exposed Wowza Streaming Engine Manager instances: http.title:"manager" product:"wowza streaming engine"
  • ·The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N), meaning no credentials are required to exploit the directory traversal via the REST API
  • ·Affected version is specifically Wowza Streaming Engine 4.7.4.01; the logName query parameter is the injection point for path traversal sequences

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.