CVE-2021-21399 CRITICAL

CVE-2021-21399: Unauthenticated SubSonic backend access in Ampache

Vendor Ampache
Product ampache
Weakness CWE-284
Published April 13, 2021
Last update August 3, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and workaround guidance see the referenced GitHub security advisory.

Key dates

02Disclosure timeline

April 13, 2021 CVE published
August 3, 2024 Record updated