Vulnerability Details : CVE-2017-14170
In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted MXF file, which claims a large "nb_index_entries" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU resources, since there is no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file.
Vulnerability category: Denial of service
Products affected by CVE-2017-14170
- cpe:2.3:a:ffmpeg:ffmpeg:3.3.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14170
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14170
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:N/I:N/A:C |
8.6
|
6.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2017-14170
-
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14170
-
https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2
avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() · FFmpeg/FFmpeg@900f396 · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.debian.org/security/2017/dsa-3996
Debian -- Security Information -- DSA-3996-1 ffmpeg
-
https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
[SECURITY] [DLA 1630-1] libav security update
-
https://github.com/FFmpeg/FFmpeg/commit/f173cdfe669556aa92857adafe60cbe5f2aa1210
avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() · FFmpeg/FFmpeg@f173cdf · GitHub
-
http://www.securityfocus.com/bid/100700
FFmpeg 'libavformat/mxfdec.c' Denial of Service Vulnerability
Jump to