Vulnerability Details : CVE-2017-9993
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
Vulnerability category: Information leak
Products affected by CVE-2017-9993
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-9993
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-9993
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-9993
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9993
-
https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
avformat/avidec: Limit formats in gab2 to srt and ass/ssa · FFmpeg/FFmpeg@a5d849b · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/99315
FFmpeg CVE-2017-9993 Arbitrary File Read VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
[SECURITY] [DLA 1630-1] libav security updateMailing List;Third Party Advisory
-
http://www.debian.org/security/2017/dsa-3957
Debian -- Security Information -- DSA-3957-1 ffmpegThird Party Advisory
-
https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
avformat/hls: Check local file extensions · FFmpeg/FFmpeg@189ff42 · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to