CVE-2019-12730 : aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1

aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables.

Published 2019-06-04 14:29:01

Updated 2020-08-24 17:37:01

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-12730

Ffmpeg » Ffmpeg
Versions before (<) 3.2.14
cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-12730

EPSS FAQ

1.70%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-12730

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-12730

CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-12730

https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2

git.ffmpeg.org Git - ffmpeg.git/commit
http://www.securityfocus.com/bid/109317

FFmpeg CVE-2019-12730 Security Bypass Vulnerability
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4

git.ffmpeg.org Git - ffmpeg.git/shortlog
https://security.gentoo.org/glsa/202003-65

FFmpeg: Multiple vulnerabilities (GLSA 202003-65) — Gentoo security

CVEs referencing this url
https://seclists.org/bugtraq/2019/Aug/30

Bugtraq: [SECURITY] [DSA 4502-1] ffmpeg security update
https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b

avformat/aadec: Check for scanf() failure · FFmpeg/FFmpeg@ed188f6 · GitHub
Patch;Third Party Advisory
https://www.debian.org/security/2019/dsa-4502

Debian -- Security Information -- DSA-4502-1 ffmpeg
https://usn.ubuntu.com/4431-1/

USN-4431-1: FFmpeg vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40

Comparing a97ea53...ba11e40 · FFmpeg/FFmpeg · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2019-12730

Products affected by CVE-2019-12730

Exploit prediction scoring system (EPSS) score for CVE-2019-12730

CVSS scores for CVE-2019-12730

CWE ids for CVE-2019-12730

References for CVE-2019-12730