CVE-2007-6278 — Improper Input Validation in Flac

CWE-20 — Improper Input Validation CWE-2646 documents6 sources

Severity

9.3CRITICALNVD

EPSS

2.5%

top 14.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flac Project Flac Debian Flac Flac Libflac

Timeline

PublishedDec 7

Latest updateMay 1

Description

Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶NVDflac/libflac1.2

▶debiandebian/flac< flac 1.2.1-1 (bookworm)

▶Debianflac_project/flac< 1.2.1-1+3

Patches

Patch: www.kb.cert.org ↗Patch: www.securitytracker.com ↗Patch: www.kb.cert.org ↗

🔴Vulnerability Details

GHSA

GHSA-3jhf-59jq-5cpv: Free Lossless Audio Codec (FLAC) libFLAC before 1↗2022-05-01

▶

OSV

CVE-2007-6278: Free Lossless Audio Codec (FLAC) libFLAC before 1↗2007-12-07

▶

📋Vendor Advisories

Red Hat

FLAC doesn't enforce a MIME type for image referenced by URL↗2007-11-15

▶

Debian

CVE-2007-6278: flac - Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remot...↗2007

▶

💬Community

Bugzilla

CVE-2007-6278 FLAC doesn't enforce a MIME type for image referenced by URL↗2007-12-07

▶