CVE-2019-6256

Name of the Vulnerable Software and Affected Versions Live555 Media Server version 0.93

Description A Denial of Service issue was discovered in the LIVE555 Streaming Media libraries as used in Live555 Media Server. It can cause an RTSPServer crash in handleHTTPCmd TunnelingPOST, when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in a GET request and a POST request within the same TCP session. This occurs because of a call to an incorrect virtual function pointer in the readSocket function in GroupsockHelper.cpp. The vulnerability exists due to insufficient input validation in the readSocket function of the liblivemedia library, which can allow a remote attacker to cause a denial of service.

Recommendations For Live555 Media Server version 0.93, as a temporary workaround, consider disabling the handleHTTPCmd TunnelingPOST function or restricting RTSP-over-HTTP tunneling support until a patch is available. Additionally, restrict access to the readSocket function in GroupsockHelper.cpp to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.