High severity7.5NVD Advisory· Published Nov 29, 2024· Updated Apr 15, 2026
CVE-2024-35371
CVE-2024-35371
Description
Ant-Media-Serverv2.8.2 is affected by Improper Output Neutralization for Logs. The vulnerability stems from insufficient input sanitization in the logging mechanism. Without proper filtering or validation, user-controllable data, such as identifiers or other sensitive information, can be included in log entries without restrictions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.antmedia:ant-media-serverMaven | < 2.9.0 | 2.9.0 |
Patches
14d4763bd4fd0Fix vulnerability about logging
1 file changed · +6 −2
src/main/java/io/antmedia/rest/RestServiceBase.java+6 −2 modified@@ -75,6 +75,8 @@ public abstract class RestServiceBase { + private static final String REPLACE_CHARS_FOR_SECURITY = "[\n\r]"; + public class BroadcastStatistics { @Schema(description = "The total RTMP viewers of the stream") @@ -365,6 +367,7 @@ protected Result deleteBroadcasts(String[] streamIds) { result = deleteBroadcast(id); if (!result.isSuccess()) { + id = id.replaceAll(REPLACE_CHARS_FOR_SECURITY, "_" ); logger.warn("It cannot delete {} and breaking the loop", id); break; } @@ -1168,6 +1171,7 @@ protected Result deleteVoDs(String[] vodIds) if (!result.isSuccess()) { + id = id.replaceAll(REPLACE_CHARS_FOR_SECURITY, "_" ); logger.warn("VoD:{} cannot be deleted and breaking the loop", id); break; } @@ -1311,7 +1315,7 @@ protected RecordMuxer startRecord(String streamId, RecordType recordType, int re } else { logger.info("No mux adaptor found for {} recordType:{} resolutionHeight:{}", streamId != null ? - streamId.replaceAll("[\n\r]", "_") : "null ", + streamId.replaceAll(REPLACE_CHARS_FOR_SECURITY, "_") : "null ", recordType, resolutionHeight); } @@ -1478,7 +1482,7 @@ else if (!AntMediaApplicationAdapter.PLAY_LIST.equals(broadcast.getType())) { streamFetcher.setStreamFetcherListener(null); if (logger.isInfoEnabled()) { - logger.info("Switching to next item by REST method for playlist:{} and forwarding stream fetcher listener:{}", id.replaceAll("[\n\r]", "_"), streamFetcherListener.hashCode()); + logger.info("Switching to next item by REST method for playlist:{} and forwarding stream fetcher listener:{}", id.replaceAll(REPLACE_CHARS_FOR_SECURITY, "_"), streamFetcherListener.hashCode()); } result = getApplication().getStreamFetcherManager().playItemInList(broadcast, streamFetcherListener, index);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2gx6-qrpp-c4p3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35371ghsaADVISORY
- gist.github.com/1047524396/4eb17867f2e375f4824274c5e7b4d384nvdWEB
- github.com/ant-media/Ant-Media-Server/blob/ams-v2.8.2/src/main/java/io/antmedia/rest/RestServiceBase.javanvdWEB
- github.com/ant-media/ant-media-server/commit/4d4763bd4fd06e515c19544e5170ca0f34c9ce45nvdWEB
News mentions
0No linked articles in our index yet.