CVE-2017-14170

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted MXF file, which claims a large "nb_index_entries" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU resources, since there is no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file.

En libavformat/mxfdec.c en FFmpeg versión 3.3.3 mayor a 2.4, en DoS una denegación de servicio en mxf_read_index_entry_array() por una falta de chequeos EOF (End of File) podría provocar un enorme consumo de recursos de la CPU. Cuando se proporciona un archivo MXF manipulado que pide un campo "nb_index_entries" grande en la cabecera pero no contiene suficientes datos de respaldo, el bucle consumiría una gran cantidad de recursos de CPU, ya que el bucle no contiene ningún chequeo EOF. Además, este gran bucle se invocaría en múltiples ocasiones si existe más de un segmento de datos aplicable en el archivo MXF manipulado

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-09-07 CVE Reserved
2017-09-07 CVE Published
2023-04-27 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-834: Excessive Iteration

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/bid/100700	Vdb Entry
https://github.com/FFmpeg/FFmpeg/commit/f173cdfe669556aa92857adafe60cbe5f2aa1210	X_refsource_misc
https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2	2021-01-04

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3996	2021-01-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ffmpeg Search vendor "Ffmpeg"		Ffmpeg Search vendor "Ffmpeg" for product "Ffmpeg"				3.3.3 Search vendor "Ffmpeg" for product "Ffmpeg" and version "3.3.3"		-		Affected