Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2007-0017 — Use of Externally-Controlled Format String in VLC Media Player
Severity
6.8MEDIUMNVD
GHSA7.5
EPSS
51.2%
top 2.11%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedJan 3
Latest updateMay 1
Description
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
CVSS vector
AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4
Affected Packages2 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-xh7p-83h3-2grw: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access↗2022-05-01
CVEList▶
CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access↗2007-01-03
OSV▶
CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access↗2007-01-03
💥Exploits & PoCs
2📋Vendor Advisories
1Debian▶
CVE-2007-0017: vlc - Multiple format string vulnerabilities in (1) the cdio_log_handler function in m...↗2007