ALT-PU-2017-1725-1
Closed vulnerabilities
Published: 2017-06-28
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2017-9993
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
Severity: MEDIUM (5.0)
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
- http://www.debian.org/security/2017/dsa-3957
- http://www.securityfocus.com/bid/99315
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
- https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
- http://www.debian.org/security/2017/dsa-3957
- http://www.securityfocus.com/bid/99315
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
- https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html