CVE-2017-8313
published 2017-05-23CVE-2017-8313: Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated…
PriorityP417medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
1.48%
70.8th percentile
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 2.2.5-1 (bookworm) | vlc 2.2.5-1 (bookworm) |
| videolan | vlc | < 2.2.5 | 2.2.5 |
| videolan | vlc_media_player | <= 2.2.4 | — |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
| videolan | vlc_media_player | >= 0 < 2.2.5-1 | 2.2.5-1 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-8313: vlc - Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing c...
vendor_debian·2017·CVSS 5.5
CVE-2017-8313 [MEDIUM] CVE-2017-8313: vlc - Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing c...
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
Scope: local
bookworm: resolved (fixed in 2.2.5-1)
bullseye: resolved (fixed in 2.2.5-1)
forky: resolved (fixed in 2.2.5-1)
sid: resolved (fixed in 2.2.5-1)
trixie: resolved (fixed in 2.2.5-1)
GHSA
GHSA-x47q-49w5-cg3q: Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2
ghsa_unreviewed·2022-05-17
CVE-2017-8313 [MEDIUM] CWE-125 GHSA-x47q-49w5-cg3q: Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
OSV
CVE-2017-8313: Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2
osv·2017-05-23·CVSS 5.5
CVE-2017-8313 [MEDIUM] CVE-2017-8313: Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
No detection rules found.
No public exploits indexed.
Checkpoint
Hacked in Translation – “Director’s Cut” – Full Technical Details
blogs_checkpoint·2017-07-08
CVE-2017-8314 Hacked in Translation – “Director’s Cut” – Full Technical Details
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Hacked in Translation – “Director’s Cut” – Full Technical Details
Background
Recently, Check Point researchers revealed a brand new attack vector – attack by subtitles. As discussed in th
arXiv
Hacked in Translation -- from Subtitles to Complete Takeover
arxiv_fulltext·2024-08-01
Hacked in Translation -- from Subtitles to Complete Takeover
## Background
Check Point researchers revealed a new attack vector which threatens millions of users worldwide - attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim's media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.
Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are auto
http://git.videolan.org/?p=vlc/vlc-2.2.git%3Ba=commitdiff%3Bh=05b653355ce303ada3b5e0e645ae717fea39186chttp://www.debian.org/security/2017/dsa-3899http://www.securityfocus.com/bid/98633https://security.gentoo.org/glsa/201707-10http://git.videolan.org/?p=vlc/vlc-2.2.git%3Ba=commitdiff%3Bh=05b653355ce303ada3b5e0e645ae717fea39186chttp://www.debian.org/security/2017/dsa-3899http://www.securityfocus.com/bid/98633https://security.gentoo.org/glsa/201707-10
2017-05-23
Published