This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π‘οΈ **Root Cause**: **CWE-78** (OS Command Injection). π **Flaw**: User inputs in video stream configurations are **not sanitized** before being passed to the `exec` instruction.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Frigate** by Blake Blackshear. π **Versions**: All versions **prior to 0.16.4** (i.e., β€ 0.16.3).
Q4What can hackers do? (Privileges/Data)
π **Capabilities**: Hackers gain **Remote Command Execution**. π **Impact**: High severity (CVSS 9.8). They can read, modify, or delete data, and escalate privileges to root/admin level.
π **Exploits**: **Yes**, public PoCs exist. π **Links**: GitHub repos by `jduardo2704` and `joshuavanderpoll` demonstrate blind RCE via go2rtc exec injection.
Q7How to self-check? (Features/Scanning)
π **Check**: Look for Frigate versions **< 0.16.4**. π **Config**: Check `config.yaml` for custom video stream inputs that might contain unsanitized user data.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **Yes**. π οΈ **Patch**: Upgrade to **Frigate v0.16.4** or later. π’ **Advisory**: See GitHub Security Advisory GHSA-4c97-5jmr-8f6x.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, **restrict network access** to the NVR. π« **Mitigation**: Do not allow untrusted users to modify video stream configurations.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **Critical**. π **Priority**: Patch immediately. The CVSS score is **9.8** (Critical), and public exploits are available.