CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
Those arguments land in the command line of FFmpeg. Because UseShellExecute is always set to false, we can’t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. ... Esos argumentos llegan a la línea de comando de FFmpeg. ... Sólo debería ser posible agregar argumentos adicionales a FFmpeg, que es lo suficientemente poderoso tal como está. • https://cwe.mitre.org/data/definitions/88.html https://en.wikipedia.org/wiki/Pass_the_hash https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a https://github.com/jellyfin/jellyfin/issues/5415 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-4907
https://notcve.org/view.php?id=CVE-2022-4907
Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. • https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html https://crbug.com/1358168 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2LE64KGGOISKPKMYROSDT4K6QFVDIRF6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B6SAST6CB5KKCQKH75ER2UQ3ICYPHCIZ https://www.debian.org/security/2023/dsa-5552 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39018
https://notcve.org/view.php?id=CVE-2023-39018
FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.... Se ha descubierto que FFmpeg v0.7.0 e inferiores contienen una vulnerabilidad de inyección de código en el componente "net.bramp.ffmpeg.FFmpeg..". • https://github.com/bramp/ffmpeg-cli-wrapper/blob/master/src/main/java/net/bramp/ffmpeg/FFmpeg.java https://github.com/bramp/ffmpeg-cli-wrapper/issues/291 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48434
https://notcve.org/view.php?id=CVE-2022-48434
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used). • https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KOMB6WRUC55VWV25IKJTV22KARBUGWGQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQHNSWXFUN3VJ3AO2AEJUK3BURSGM5G2 https://news.ycombinator.com/item? • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28435 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28435
This affects all versions of package ffmpeg-sdk. ... Esto afecta a todas las versiones del paquete ffmpeg-sdk. • https://security.snyk.io/vuln/SNYK-JS-FFMPEGSDK-1050429 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •