CVE-2024-52056: 
Wowza Streaming Engine vulnerability analysis and mitigation

Path Traversal vulnerability (CVE-2024-52056) affects the Manager component of Wowza Streaming Engine versions below 4.9.1. This vulnerability allows an administrator user to delete any directory on the file system if the target directory contains an XML definition file. The vulnerability was discovered by Ryan Emmons from Rapid7 and was patched on November 20, 2024 (Rapid7 Blog).

The vulnerability has been assigned a CVSS score of 6.9 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and affects Wowza Streaming Engine versions from 4.3.0 up to but not including 4.9.1 (NVD).

If exploited, this vulnerability allows an authenticated administrator to delete any directory on the host system, provided the target directory contains an XML file. This could potentially lead to system disruption or data loss (Security Online).

The vulnerability has been fixed in Wowza Streaming Engine version 4.9.1. Organizations are advised to upgrade to this version or later to remediate the issue. Rapid7's InsightVM and Nexpose customers can assess their exposure to CVE-2024-52056 with authenticated vulnerability checks available as of the November 20, 2024 content release (Rapid7 Blog).

Wowza Media Systems responded to the disclosure stating, "We at Wowza Media Systems are focused on security excellence, and by partnering with trusted researchers like Rapid7, we proactively respond to and fix vulnerabilities to safeguard our customers' interests" (Rapid7 Blog).