{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cdn/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","cdn","configuration-modification","vulnerability"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open source video platform, contains a critical vulnerability (CVE-2026-33719) within its CDN plugin. Versions up to and including 26.0 are affected. The vulnerability stems from the endpoints \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e using key-based authentication with an empty string as the default key. Critically, when the CDN plugin is enabled but the key remains at its default (empty) state, the authentication check is bypassed entirely. This allows any unauthenticated attacker to fully modify the CDN configuration through mass-assignment via the \u003ccode\u003epar\u003c/code\u003e request parameter. This includes the ability to manipulate CDN URLs, storage credentials, and even the authentication key itself. A patch has been released in commit adeff0a31ba04a56f411eef256139fd7ed7d4310. This is significant because it can lead to complete compromise of the video delivery infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance with the CDN plugin enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker checks the CDN configuration by sending a GET request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e without any authentication headers to confirm if CDN plugin is enabled and running with default configuration.\u003c/li\u003e\n\u003cli\u003eIf the CDN key is the default empty string, the attacker crafts a malicious POST request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003epar\u003c/code\u003e parameter containing a JSON object with modified CDN settings, such as CDN URLs and storage credentials.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed authentication, the AVideo server processes the request and updates the CDN configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify the CDN URL to point to a malicious server hosting malware or phishing content.\u003c/li\u003e\n\u003cli\u003eLegitimate users requesting video content are redirected to the attacker's malicious CDN.\u003c/li\u003e\n\u003cli\u003eThe attacker can also steal storage credentials and compromise the CDN's data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33719 allows an unauthenticated attacker to take complete control over the video delivery infrastructure. This can result in serving malicious content to users, data exfiltration from the CDN storage, or complete disruption of video services. The number of victims depends on the popularity of the affected AVideo instances. This vulnerability impacts any organization using AVideo with the CDN plugin enabled and the default configuration, including educational institutions, media companies, and content creators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33719.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints without proper authentication headers, as these may indicate an attempted exploit.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, configure a strong, non-default key for the CDN plugin to prevent the authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/","summary":"AVideo is vulnerable to unauthenticated configuration modification in its CDN plugin due to a bypassed key validation check when the default empty key is used, allowing modification of CDN URLs, storage credentials, and the authentication key itself.","title":"AVideo CDN Plugin Unauthenticated Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OmniFaces"],"_cs_severities":["high"],"_cs_tags":["omnifaces","el-injection","rce","cdn"],"_cs_type":"advisory","_cs_vendors":["OmniFaces"],"content_html":"\u003cp\u003eThe OmniFaces framework, a utility library for JavaServer Faces (JSF), is susceptible to EL (Expression Language) injection when the \u003ccode\u003eCDNResourceHandler\u003c/code\u003e is configured with wildcard CDN mappings. This vulnerability allows an attacker to craft a malicious resource request URL by embedding an EL expression within the resource name. This expression is then evaluated server-side, potentially leading to Remote Code Execution (RCE), information disclosure, or denial of service. The vulnerability affects OmniFaces versions before 1.14.2, versions 2.0-RC1 to 2.7.32, versions 3.0-RC1 to 3.14.16, versions 4.0-M1 to 4.7.5, and versions 5.0-M1 to 5.2.2. Applications that only use explicit resource-to-URL mappings are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OmniFaces application utilizing \u003ccode\u003eCDNResourceHandler\u003c/code\u003e with a wildcard CDN mapping (e.g., \u003ccode\u003elibraryName:*=https://cdn.example.com/*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a resource served through the CDN.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an EL expression embedded within the resource name part of the URL, such as \u003ccode\u003e/javax.faces.resource/el_injection_${{...}}.js.xhtml?ln=libraryName\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCDNResourceHandler\u003c/code\u003e processes the request and extracts the resource name.\u003c/li\u003e\n\u003cli\u003eDue to the wildcard mapping, the handler attempts to resolve the resource location based on the provided name.\u003c/li\u003e\n\u003cli\u003eThe EL expression within the resource name is inadvertently evaluated by the server's EL engine.\u003c/li\u003e\n\u003cli\u003eDepending on the EL implementation and accessible objects, the attacker can execute arbitrary code, access sensitive information, or trigger a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe server responds to the attacker with the results of the EL expression evaluation (in case of information disclosure) or the effects of the executed code (in case of RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. In the worst-case scenario, attackers can achieve Remote Code Execution (RCE), allowing them to gain complete control over the affected server. This control enables them to install malware, steal sensitive data, or disrupt services. Even without RCE, attackers can exploit the EL injection to disclose sensitive information or cause a denial of service by exhausting server resources. The impact varies based on the specific EL implementation and the objects available within the EL context, but any application using wildcard CDN mappings in vulnerable OmniFaces versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the patched OmniFaces versions: 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2 to remediate the EL injection vulnerability as documented in the \u003ca href=\"https://github.com/advisories/GHSA-vp6r-9m58-5xv8\"\u003eGHSA advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReplace wildcard CDN mappings with explicit resource-to-URL mappings as a workaround if upgrading is not immediately feasible, as described in the \u003ca href=\"https://github.com/advisories/GHSA-vp6r-9m58-5xv8\"\u003eGHSA advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block requests containing suspicious EL expressions in the resource name part of the URL. Use the Sigma rule \u003ccode\u003eOmniFaces EL Injection Attempt\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns in resource requests, specifically those containing EL-like syntax (e.g., \u003ccode\u003e${...}\u003c/code\u003e) in the URI query, as a general indicator of potential exploitation attempts and as covered by the Sigma rule \u003ccode\u003eOmniFaces EL Injection URI\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-omnifaces-el-injection/","summary":"A server-side EL injection vulnerability exists in OmniFaces when using CDNResourceHandler with wildcard CDN mappings, allowing attackers to inject EL expressions in resource names leading to potential remote code execution, information disclosure, or denial of service.","title":"OmniFaces EL Injection Vulnerability via Crafted Resource Name","url":"https://feed.craftedsignal.io/briefs/2024-01-omnifaces-el-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cdn","version":"https://jsonfeed.org/version/1.1"}