Vulnerability Details : CVE-2019-12730
aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables.
Products affected by CVE-2019-12730
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12730
1.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12730
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-12730
-
The product uses or accesses a resource that has not been initialized.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12730
-
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2
git.ffmpeg.org Git - ffmpeg.git/commit
-
http://www.securityfocus.com/bid/109317
FFmpeg CVE-2019-12730 Security Bypass Vulnerability
-
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4
git.ffmpeg.org Git - ffmpeg.git/shortlog
-
https://security.gentoo.org/glsa/202003-65
FFmpeg: Multiple vulnerabilities (GLSA 202003-65) — Gentoo security
-
https://seclists.org/bugtraq/2019/Aug/30
Bugtraq: [SECURITY] [DSA 4502-1] ffmpeg security update
-
https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b
avformat/aadec: Check for scanf() failure · FFmpeg/FFmpeg@ed188f6 · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4502
Debian -- Security Information -- DSA-4502-1 ffmpeg
-
https://usn.ubuntu.com/4431-1/
USN-4431-1: FFmpeg vulnerabilities | Ubuntu security notices | Ubuntu
-
https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40
Comparing a97ea53...ba11e40 · FFmpeg/FFmpeg · GitHubThird Party Advisory
Jump to