CVE-2024-3462: Ant Media Server does not properly authorize non-administrative API calls

May 14, 2024 (updated November 7, 2024)

Ant Media Server Community Edition in a default configuration is vulnerable to an improper HTTP header based authorization, leading to a possible use of non-administrative API calls reserved only for authorized users. All versions up to 2.9.0 (tested) and possibly newer ones are believed to be vulnerable as the vendor has not confirmed releasing a patch.

References

antmedia.io/
cert.pl/en/posts/2024/05/CVE-2024-3462
cert.pl/posts/2024/05/CVE-2024-3462
github.com/advisories/GHSA-g95v-3pj6-j433
github.com/ant-media/Ant-Media-Server
nvd.nist.gov/vuln/detail/CVE-2024-3462

Code Behaviors & Features

Detect and mitigate CVE-2024-3462 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →