CVE-2023-46480 – A Server-Side Request Forgery (SSRF) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2023-46480?

CVE-2023-46480 has a CVSS score of 9.8 (CRITICAL). A Server-Side Request Forgery (SSRF) vulnerability in OwnCast v0.1.1 allows remote attackers to execute arbitrary code and access sensitive information via the authHost parameter in the indieauth function. This affects all OwnCast instances running the vulnerable version. Attackers can exploit this without authentication.

📋 TL;DR

A Server-Side Request Forgery (SSRF) vulnerability in OwnCast v0.1.1 allows remote attackers to execute arbitrary code and access sensitive information via the authHost parameter in the indieauth function. This affects all OwnCast instances running the vulnerable version. Attackers can exploit this without authentication.

💻 Affected Systems

Products:

OwnCast

Versions: v0.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of OwnCast v0.1.1 are vulnerable regardless of configuration.

📦 What is this software?

Owncast by Owncast Project

View all CVEs affecting Owncast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to service disruption, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if network segmentation and strict outbound firewall rules prevent internal resource access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.2 or later

Vendor Advisory: https://github.com/owncast/owncast

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Stop OwnCast service. 3. Update to v0.1.2 or later via package manager or manual download. 4. Restart OwnCast service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict OwnCast instance from accessing internal network resources via firewall rules.

iptables -A OUTPUT -p tcp -m owner --uid-owner owncast -j DROP

🧯 If You Can't Patch

Isolate the OwnCast instance in a DMZ with strict outbound firewall rules.
Implement web application firewall (WAF) rules to block requests containing internal IP addresses or localhost references.

🔍 How to Verify

Check if Vulnerable:

Check OwnCast version via web interface or configuration file; if version is exactly 0.1.1, it is vulnerable.

Check Version:

curl -s http://localhost:8080/api/status | grep version

Verify Fix Applied:

Confirm version is 0.1.2 or higher and test indieauth functionality with controlled authHost values.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from OwnCast to internal IPs
Multiple failed authentication attempts via indieauth

Network Indicators:

HTTP requests to internal resources from OwnCast server
Unexpected ports being accessed from OwnCast instance

SIEM Query:

source="owncast.log" AND (authHost CONTAINS "localhost" OR authHost CONTAINS "127.0.0.1" OR authHost CONTAINS "192.168." OR authHost CONTAINS "10.")

📊 Metadata

CVE ID: CVE-2023-46480

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: November 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/owncast/owncast Product
https://github.com/shahzaibak96/CVE-2023-46480 Third Party Advisory
https://github.com/owncast/owncast Product
https://github.com/shahzaibak96/CVE-2023-46480 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46480, you might also want to check these: