GHSA-93fx-5qgc-wr38: AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs
AzuraCast’s ConfigWriter::cleanUpString() method fails to sanitize Liquidsoap string interpolation sequences (#{...}), allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file. When the station is restarted and Liquidsoap parses the config, #{...} expressions are evaluated, enabling arbitrary command execution via Liquidsoap’s process.run() function.
References
- github.com/AzuraCast/AzuraCast
- github.com/AzuraCast/AzuraCast/commit/d04b5c55ce0d867bcb87f49f7082bf8edbcd360c
- github.com/AzuraCast/AzuraCast/commit/ff49ef4d0fa571a3661abff6d0a9546ba3ed5df5
- github.com/AzuraCast/AzuraCast/releases/tag/0.23.4
- github.com/AzuraCast/AzuraCast/security/advisories/GHSA-93fx-5qgc-wr38
- github.com/advisories/GHSA-93fx-5qgc-wr38
Code Behaviors & Features
Detect and mitigate GHSA-93fx-5qgc-wr38 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →