Vulnerability Details : CVE-2013-3245
Potential exploit
plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read or heap-based buffer overflow, or an uncaught exception. NOTE: the vendor disputes the severity and claimed vulnerability type of this issue, stating "This PoC crashes VLC, indeed, but does nothing more... this is not an integer overflow error, but an uncaught exception and I doubt that it is exploitable. This uncaught exception makes VLC abort, not execute random code, on my Linux 64bits machine." A PoC posted by the original researcher shows signs of an attacker-controlled out-of-bounds read, but the affected instruction does not involve a register that directly influences control flow
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2013-3245
- cpe:2.3:a:videolan:vlc_media_player:2.0.7:*:*:*:*:*:*:*
Threat overview for CVE-2013-3245
Top countries where our scanners detected CVE-2013-3245
Top open port discovered on systems with this issue
110
IPs affected by CVE-2013-3245 5
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-3245!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-3245
2.51%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-3245
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-07-03 |
CWE ids for CVE-2013-3245
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2013-3245
-
http://secunia.com/blog/372/
About Secunia Research | FlexeraVendor Advisory
-
http://seclists.org/fulldisclosure/2013/Jul/79
Full Disclosure: Re: VLC media player MKV Parsing POC
-
http://secunia.com/advisories/52956
Sign inVendor Advisory
-
http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia
More lies from Secunia - Yet another blog for JBKempf
-
http://www.securityfocus.com/bid/61032
VLC Media Player CVE-2013-3245 Remote Integer Overflow Vulnerability
-
http://seclists.org/fulldisclosure/2013/Jul/77
Full Disclosure: Re: VLC media player MKV Parsing POC
-
http://seclists.org/fulldisclosure/2013/Jul/71
Full Disclosure: VLC media player MKV Parsing POCExploit
Jump to