GCVE - cpe:2.3:a:xiph:icecast:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:xiph:icecast:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Xiph (`732078b2-c4b9-5a7b-8ef7-5b937ffeb754`)
Product	Icecast (`94fb899f-4c55-53fe-9ee1-386ef0606e40`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/icecast2`	purl2cpe	2026-06-01 10:13:42.733058
`pkg:deb/ubuntu/icecast2`	purl2cpe	2026-06-01 10:13:42.733062
`pkg:github/xiph/icecast-server`	purl2cpe	2026-06-01 10:13:42.733065
`pkg:rpm/fedora/icecast`	purl2cpe	2026-06-01 10:13:42.733068
`pkg:rpm/opensuse/icecast`	purl2cpe	2026-06-01 10:13:42.733072

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-18820`	vulnerable	2026-06-08 05:11:14.795784	Details available A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution. Published: 2018-11-05T19:00:00.000Z Updated: 2024-08-05T11:23:08.435Z Open on db.gcve.eu Reference links http://www.securitytracker.com/id/1042019 https://security.gentoo.org/glsa/201811-09 https://lists.debian.org/debian-lts-announce/2018/11/msg00033.html http://www.openwall.com/lists/oss-security/2018/11/01/3 https://www.debian.org/security/2018/dsa-4333	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-3026`	vulnerable	2026-06-08 05:06:36.614061	Details available Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg." Published: 2015-04-29T20:00:00.000Z Updated: 2024-08-06T05:32:21.286Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163859.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00030.html https://security.gentoo.org/glsa/201508-03 http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164074.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-4612`	vulnerable	2026-06-08 04:59:32.278936	Details available icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL. Published: 2012-11-20T00:00:00.000Z Updated: 2024-09-16T17:22:55.558Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=768176 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090668.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090695.html http://www.icecast.org/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.