CVE-2016-1898 : FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protoco

FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.

Published 2016-01-15 03:59:24

Updated 2018-10-30 16:27:32

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2016-1898

Probability of exploitation activity in the next 30 days: 0.43%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-1898

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-1898

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-1898

https://www.kb.cert.org/vuls/id/772447

VU#772447 - ffmpeg and Libav cross-domain information disclosure vulnerability

CVEs referencing this url
http://www.securityfocus.com/bid/80501

FFMPEG and Libav Multiple Information Disclosure Vulnerabilities

CVEs referencing this url
http://www.securitytracker.com/id/1034932

FFmpeg Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker

CVEs referencing this url
http://habrahabr.ru/company/mailru/blog/274855

Опасное видео: как я нашёл уязвимость в видеохостингах и не умер через 7 дней / Mail.ru Group corporate blog / Habr
Exploit

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/01/14/1

oss-security - Re: Fwd: FFmpeg: stealing local files with HLS+concat

CVEs referencing this url
https://security.gentoo.org/glsa/201705-08

libav: Multiple vulnerabilities (GLSA 201705-08) — Gentoo security

CVEs referencing this url
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036

The Slackware Linux Project: Slackware Security Advisories

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2944-1

USN-2944-1: Libav vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3506

Debian -- Security Information -- DSA-3506-1 libav

CVEs referencing this url
https://security.gentoo.org/glsa/201606-09

FFmpeg: Multiple vulnerabilities (GLSA 201606-09) — Gentoo security

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html

[security-announce] openSUSE-SU-2016:0243-1: important: Security update

CVEs referencing this url

Products affected by CVE-2016-1898

Ffmpeg » Ffmpeg » Version: 2.0
cpe:2.3:a:ffmpeg:ffmpeg:2.0:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.2
cpe:2.3:a:ffmpeg:ffmpeg:2.1.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.1
cpe:2.3:a:ffmpeg:ffmpeg:2.1.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.1
cpe:2.3:a:ffmpeg:ffmpeg:2.0.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1
cpe:2.3:a:ffmpeg:ffmpeg:2.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.3
cpe:2.3:a:ffmpeg:ffmpeg:2.0.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.2
cpe:2.3:a:ffmpeg:ffmpeg:2.0.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.5
cpe:2.3:a:ffmpeg:ffmpeg:2.1.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2
cpe:2.3:a:ffmpeg:ffmpeg:2.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.4
cpe:2.3:a:ffmpeg:ffmpeg:2.0.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.5
cpe:2.3:a:ffmpeg:ffmpeg:2.0.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.4
cpe:2.3:a:ffmpeg:ffmpeg:2.2.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3
cpe:2.3:a:ffmpeg:ffmpeg:2.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.3
cpe:2.3:a:ffmpeg:ffmpeg:2.1.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.4
cpe:2.3:a:ffmpeg:ffmpeg:2.1.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.2
cpe:2.3:a:ffmpeg:ffmpeg:2.3.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4
cpe:2.3:a:ffmpeg:ffmpeg:2.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.4
cpe:2.3:a:ffmpeg:ffmpeg:2.3.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.3
cpe:2.3:a:ffmpeg:ffmpeg:2.3.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.5
cpe:2.3:a:ffmpeg:ffmpeg:2.3.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.3
cpe:2.3:a:ffmpeg:ffmpeg:2.4.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.2
cpe:2.3:a:ffmpeg:ffmpeg:2.4.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.1
cpe:2.3:a:ffmpeg:ffmpeg:2.4.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.6
cpe:2.3:a:ffmpeg:ffmpeg:2.0.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.6
cpe:2.3:a:ffmpeg:ffmpeg:2.2.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.7
cpe:2.3:a:ffmpeg:ffmpeg:2.2.7:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.14
cpe:2.3:a:ffmpeg:ffmpeg:2.2.14:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.1
cpe:2.3:a:ffmpeg:ffmpeg:2.5.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.5
cpe:2.3:a:ffmpeg:ffmpeg:2.2.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.12
cpe:2.3:a:ffmpeg:ffmpeg:2.2.12:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.13
cpe:2.3:a:ffmpeg:ffmpeg:2.2.13:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.6
cpe:2.3:a:ffmpeg:ffmpeg:2.4.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.7
cpe:2.3:a:ffmpeg:ffmpeg:2.4.7:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.1
cpe:2.3:a:ffmpeg:ffmpeg:2.6.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.2
cpe:2.3:a:ffmpeg:ffmpeg:2.2.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.3
cpe:2.3:a:ffmpeg:ffmpeg:2.2.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.10
cpe:2.3:a:ffmpeg:ffmpeg:2.2.10:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.11
cpe:2.3:a:ffmpeg:ffmpeg:2.2.11:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.4
cpe:2.3:a:ffmpeg:ffmpeg:2.4.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.5
cpe:2.3:a:ffmpeg:ffmpeg:2.4.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.4
cpe:2.3:a:ffmpeg:ffmpeg:2.5.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.5
cpe:2.3:a:ffmpeg:ffmpeg:2.5.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.1
cpe:2.3:a:ffmpeg:ffmpeg:2.2.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.8
cpe:2.3:a:ffmpeg:ffmpeg:2.2.8:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.9
cpe:2.3:a:ffmpeg:ffmpeg:2.2.9:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.2
cpe:2.3:a:ffmpeg:ffmpeg:2.5.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.3
cpe:2.3:a:ffmpeg:ffmpeg:2.5.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.7.2
cpe:2.3:a:ffmpeg:ffmpeg:2.7.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8.1
cpe:2.3:a:ffmpeg:ffmpeg:2.8.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8.2
cpe:2.3:a:ffmpeg:ffmpeg:2.8.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.7.1
cpe:2.3:a:ffmpeg:ffmpeg:2.7.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.4
cpe:2.3:a:ffmpeg:ffmpeg:2.6.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8.3
cpe:2.3:a:ffmpeg:ffmpeg:2.8.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.7
cpe:2.3:a:ffmpeg:ffmpeg:2.7:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.6
cpe:2.3:a:ffmpeg:ffmpeg:2.6.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.9
cpe:2.3:a:ffmpeg:ffmpeg:2.5.9:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.8
cpe:2.3:a:ffmpeg:ffmpeg:2.5.8:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5
cpe:2.3:a:ffmpeg:ffmpeg:2.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8
cpe:2.3:a:ffmpeg:ffmpeg:2.8:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8 Update DEV
cpe:2.3:a:ffmpeg:ffmpeg:2.8:dev:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.5
cpe:2.3:a:ffmpeg:ffmpeg:2.6.5:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.7
cpe:2.3:a:ffmpeg:ffmpeg:2.5.7:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.5.6
cpe:2.3:a:ffmpeg:ffmpeg:2.5.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.12
cpe:2.3:a:ffmpeg:ffmpeg:2.4.12:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.11
cpe:2.3:a:ffmpeg:ffmpeg:2.4.11:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.10
cpe:2.3:a:ffmpeg:ffmpeg:2.4.10:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.7.4
cpe:2.3:a:ffmpeg:ffmpeg:2.7.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.7.3
cpe:2.3:a:ffmpeg:ffmpeg:2.7.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.3
cpe:2.3:a:ffmpeg:ffmpeg:2.6.3:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6.2
cpe:2.3:a:ffmpeg:ffmpeg:2.6.2:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.9
cpe:2.3:a:ffmpeg:ffmpeg:2.4.9:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.4.8
cpe:2.3:a:ffmpeg:ffmpeg:2.4.8:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.1
cpe:2.3:a:ffmpeg:ffmpeg:2.3.1:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.16
cpe:2.3:a:ffmpeg:ffmpeg:2.2.16:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.8
cpe:2.3:a:ffmpeg:ffmpeg:2.1.8:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.8.4
cpe:2.3:a:ffmpeg:ffmpeg:2.8.4:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.6
cpe:2.3:a:ffmpeg:ffmpeg:2.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.3.6
cpe:2.3:a:ffmpeg:ffmpeg:2.3.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.2.15
cpe:2.3:a:ffmpeg:ffmpeg:2.2.15:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.7
cpe:2.3:a:ffmpeg:ffmpeg:2.1.7:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.1.6
cpe:2.3:a:ffmpeg:ffmpeg:2.1.6:*:*:*:*:*:*:*
Matching versions
Ffmpeg » Ffmpeg » Version: 2.0.7
cpe:2.3:a:ffmpeg:ffmpeg:2.0.7:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Opensuse » Leap » Version: 42.1
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-1898

Exploit prediction scoring system (EPSS) score for CVE-2016-1898

CVSS scores for CVE-2016-1898

CWE ids for CVE-2016-1898

References for CVE-2016-1898

Products affected by CVE-2016-1898