CVE-2017-8311
published 2017-05-23CVE-2017-8311: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute…
PriorityP347high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.77%
94.5th percentile
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 2.2.5-1 (bookworm) | vlc 2.2.5-1 (bookworm) |
| videolan | vlc | — | — |
| videolan | vlc_media_player | <= 2.2.4 | — |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3gx-7f25-5jxg: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2
ghsa_unreviewed·2022-05-14
CVE-2017-8311 [HIGH] CWE-119 GHSA-h3gx-7f25-5jxg: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
OSV
CVE-2017-8311: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2
osv·2017-05-23·CVSS 7.8
CVE-2017-8311 [HIGH] CVE-2017-8311: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
Debian
CVE-2017-8311: vlc - Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 du...
vendor_debian·2017·CVSS 7.8
CVE-2017-8311 [HIGH] CVE-2017-8311: vlc - Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 du...
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
Scope: local
bookworm: resolved (fixed in 2.2.5-1)
bullseye: resolved (fixed in 2.2.5-1)
forky: resolved (fixed in 2.2.5-1)
sid: resolved (fixed in 2.2.5-1)
trixie: resolved (fixed in 2.2.5-1)
No detection rules found.
Checkpoint
Hacked in Translation – “Director’s Cut” – Full Technical Details
blogs_checkpoint·2017-07-08
CVE-2017-8314 Hacked in Translation – “Director’s Cut” – Full Technical Details
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Hacked in Translation – “Director’s Cut” – Full Technical Details
Background
Recently, Check Point researchers revealed a brand new attack vector – attack by subtitles. As discussed in th
arXiv
Hacked in Translation -- from Subtitles to Complete Takeover
arxiv_fulltext·2024-08-01
Hacked in Translation -- from Subtitles to Complete Takeover
## Background
Check Point researchers revealed a new attack vector which threatens millions of users worldwide - attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim's media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.
Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are auto
http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=775de716add17322f24b476439f903a829446eb6http://www.debian.org/security/2017/dsa-3899http://www.securityfocus.com/bid/98634https://security.gentoo.org/glsa/201707-10https://www.exploit-db.com/exploits/44514/http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=775de716add17322f24b476439f903a829446eb6http://www.debian.org/security/2017/dsa-3899http://www.securityfocus.com/bid/98634https://security.gentoo.org/glsa/201707-10https://www.exploit-db.com/exploits/44514/
2017-05-23
Published