Vulnerability Details : CVE-2014-9449
Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp in Exiv2 0.24 allows remote attackers to cause a denial of service (crash) via a long IKEY INFO tag value in an AVI file.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-9449
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:a:exiv2:exiv2:0.24:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9449
2.84%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9449
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-9449
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9449
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148382.html
[SECURITY] Fedora 21 Update: exiv2-0.24-4.fc21Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2454-1
USN-2454-1: Exiv2 vulnerability | Ubuntu security notices
-
https://security.gentoo.org/glsa/201507-03
Exiv2: Denial of Service (GLSA 201507-03) — Gentoo security
-
http://dev.exiv2.org/projects/exiv2/repository/diff?rev=3264&rev_to=3263
404 - Exiv2Issue Tracking
-
http://www.securityfocus.com/bid/71912
Exiv2 'riffvideo.cpp' Remote Buffer Overflow Vulnerability
-
http://dev.exiv2.org/issues/960
Bug #960: Problem With Exiv2 ( Video files) - Exiv2Issue Tracking;Vendor Advisory
Jump to