Unauthenticated SubSonic backend access in Ampache
CVE-2021-21399

9.1CRITICAL

Key Information:

Vendor: Ampache
Status: Ampache
Vendor: CVE Published:; 13 April 2021

What is CVE-2021-21399?

Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and workaround guidance see the referenced GitHub security advisory.

Affected Version(s)

ampache < 4.4.1

References

https://github.com/ampache/ampache/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2021
Vulnerability Reserved
Dec 22, 2020