CVE-2017-9993 — Sensitive Information Exposure in Ffmpeg

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

7.5HIGHNVD

EPSS

56.2%

top 1.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg Debian Linux

Timeline

PublishedJun 28

Latest updateMay 14

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDffmpeg/ffmpeg3.0 — 3.1.9+3

▶debiandebian/ffmpeg< ffmpeg 7:3.2.6-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:3.2.6-1+3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-935f-c84q-vhpw: FFmpeg before 2↗2022-05-14

▶

OSV

CVE-2017-9993: FFmpeg before 2↗2017-06-28

▶

📋Vendor Advisories

Debian

CVE-2017-9993: ffmpeg - FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3....↗2017

▶

📄Research Papers

CTF

video / README↗2020

▶