Login Sign Up

CVE-2019-18214

7.7 HIGH
Denial of Service

📋 TL;DR

The Video_Converter app 0.1.0 for Nextcloud allows denial of service via uncontrolled concurrent video conversions. Attackers can trigger multiple FFmpeg processes simultaneously, consuming all available CPU and memory resources. This affects Nextcloud instances with the vulnerable Video_Converter app installed.

💻 Affected Systems

Products:
  • Nextcloud Video_Converter app
Versions: 0.1.0 only
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Nextcloud instances with the Video_Converter app installed. The vulnerability exists because conversions aren't queued for serial execution.

📦 What is this software?

Video Converter by Video Converter Project

View all CVEs affecting Video Converter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to resource exhaustion, affecting all Nextcloud services and potentially the underlying server.

🟠

Likely Case

Service degradation or temporary unavailability of Nextcloud until resource-intensive processes complete or are terminated.

🟢

If Mitigated

Minimal impact with proper resource limits and monitoring in place.

🌐 Internet-Facing: HIGH - Attackers can trigger resource exhaustion remotely without authentication.
🏢 Internal Only: MEDIUM - Internal users could still cause denial of service, though less likely than external attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and is trivial - simply trigger multiple concurrent video conversions. The GitHub issue demonstrates the problem clearly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.1 or later

Vendor Advisory: https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22

Restart Required: No

Instructions:

1. Update Video_Converter app to version 0.1.1 or later via Nextcloud app store. 2. No server restart required. 3. Verify app version in Nextcloud admin interface.

🔧 Temporary Workarounds

Disable Video_Converter app

linux

Temporarily disable the vulnerable app until patched

occ app:disable video_converter

Limit concurrent processes

linux

Use system resource limits to restrict FFmpeg processes

ulimit -u 50
systemctl edit --full ffmpeg.service

🧯 If You Can't Patch

  • Disable the Video_Converter app completely via Nextcloud admin interface
  • Implement rate limiting or WAF rules to restrict concurrent conversion requests

🔍 How to Verify

Check if Vulnerable:

Check Video_Converter app version in Nextcloud admin panel → Apps → Installed apps

Check Version:

occ app:list | grep video_converter

Verify Fix Applied:

Verify Video_Converter app version is 0.1.1 or higher in Nextcloud admin interface

📡 Detection & Monitoring

Log Indicators:

  • Multiple FFmpeg processes running simultaneously
  • High CPU/memory usage spikes
  • Video conversion requests in Nextcloud logs

Network Indicators:

  • Multiple concurrent POST requests to /apps/video_converter/ endpoints

SIEM Query:

source="nextcloud.log" AND "video_converter" AND "conversion" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2019-18214
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-772
Published: October 19, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18214, you might also want to check these:

CVE-2020-12134 9.8

This vulnerability in Nanometrics Centaur and TitanSMA systems allows unauthorized access to syslog ...

Same vulnerability type (CWE-772)
CVE-2024-2398 8.6

CVE-2024-2398 is a memory leak vulnerability in libcurl that occurs when HTTP/2 server push headers ...

Same vulnerability type (CWE-772)
CVE-2025-36128 7.5

IBM MQ is vulnerable to denial of service attacks where attackers can exploit improper timeout enfor...

Same vulnerability type (CWE-772)