CVE-2017-8312 : Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of strin

Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file.

Published 2017-05-23 21:29:00

Updated 2018-10-17 16:53:50

Source Check Point Software Technologies Ltd.

View at NVD, CVE.org

Products affected by CVE-2017-8312

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Videolan » Vlc Media Player
Versions before (<) 2.2.6
cpe:2.3:a:videolan:vlc_media_player:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2017-8312

Top countries where our scanners detected CVE-2017-8312

Top open port discovered on systems with this issue 80

IPs affected by CVE-2017-8312 480

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-8312!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-8312

EPSS FAQ

0.34%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 54 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-8312

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-8312

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-8312

http://www.debian.org/security/2017/dsa-3899

Debian -- Security Information -- DSA-3899-1 vlc
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/98631

VideoLAN VLC CVE-2017-8312 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
http://git.videolan.org/?p=vlc.git;a=blobdiff;f=modules/demux/subtitle.c;h=5e4fcdb7f25b2819f5441156c7c0ea2a7d112ca3;hp=2a75fbfb7c3f56b24b2e4498bbb8fe0aa2575974;hb=611398fc8d32f3fe4331f60b220c52ba3557beaa;hpb=075bc7169b05b004fa0250e4a4ce5516b05487a9

git.videolan.org Git - vlc.git/blobdiff - modules/demux/subtitle.c
Patch;Vendor Advisory
https://security.gentoo.org/glsa/201707-10

VLC: Multiple vulnerabilities (GLSA 201707-10) — Gentoo security
Third Party Advisory

CVEs referencing this url