CVE-2008-3441 — Code Injection in Winamp

CWE-94 — Code Injection2 documents2 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 22.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nullsoft Winamp

Timeline

PublishedAug 1

Latest updateMay 2

Description

Nullsoft Winamp before 5.24 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDnullsoft/winamp< 5.24

🔴Vulnerability Details

GHSA

GHSA-pjrv-f38m-2f55: Nullsoft Winamp before 5↗2022-05-02

▶