Vulnerability Details : CVE-2016-1897
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
Vulnerability category: Information leak
Products affected by CVE-2016-1897
- cpe:2.3:a:ffmpeg:ffmpeg:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8:dev:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1897
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1897
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2016-1897
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1897
-
https://www.kb.cert.org/vuls/id/772447
VU#772447 - ffmpeg and Libav cross-domain information disclosure vulnerability
-
http://www.securityfocus.com/bid/80501
FFMPEG and Libav Multiple Information Disclosure Vulnerabilities
-
http://security.stackexchange.com/questions/110644
vulnerability - How to handle media files from untrusted sources? - Information Security Stack ExchangeExploit
-
http://www.securitytracker.com/id/1034932
FFmpeg Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker
-
http://habrahabr.ru/company/mailru/blog/274855
Опасное видео: как я нашёл уязвимость в видеохостингах и не умер через 7 дней / Mail.ru Group corporate blog / HabrExploit
-
http://www.openwall.com/lists/oss-security/2016/01/14/1
oss-security - Re: Fwd: FFmpeg: stealing local files with HLS+concat
-
https://security.gentoo.org/glsa/201705-08
libav: Multiple vulnerabilities (GLSA 201705-08) — Gentoo security
-
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
The Slackware Linux Project: Slackware Security Advisories
-
http://www.ubuntu.com/usn/USN-2944-1
USN-2944-1: Libav vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2016/dsa-3506
Debian -- Security Information -- DSA-3506-1 libav
-
https://security.gentoo.org/glsa/201606-09
FFmpeg: Multiple vulnerabilities (GLSA 201606-09) — Gentoo security
-
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
[security-announce] openSUSE-SU-2016:0243-1: important: Security update
Jump to