CVE-2017-9993
Debian Security Advisory 3957-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
Ffmpeg en sus versiones anteriores a la 2.8.12, 3.0.x y 3.1.x en sus versiones anteriores a la 3.1.9, 3.2.x en sus versiones anteriores a la 3.2.6, y 3.3.x en sus versiones anteriores a la 3.3.2 no restringe adecuadamente nombre de archivos con extensiones HTTP Live Streaming y nombres Demuxer, lo que permite a un atacante remoto leer archivo aleatorios mediante la manipulación de los datos de la lista de reproducción.
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-06-28 CVE Reserved
- 2017-06-28 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/99315 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021 | 2019-03-26 | |
| https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb | 2019-03-26 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3957 | 2019-03-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ffmpeg Search vendor "Ffmpeg" | Ffmpeg Search vendor "Ffmpeg" for product "Ffmpeg" | < 2.8.12 Search vendor "Ffmpeg" for product "Ffmpeg" and version " < 2.8.12" | - |
Affected
| ||||||
| Ffmpeg Search vendor "Ffmpeg" | Ffmpeg Search vendor "Ffmpeg" for product "Ffmpeg" | >= 3.0 < 3.1.9 Search vendor "Ffmpeg" for product "Ffmpeg" and version " >= 3.0 < 3.1.9" | - |
Affected
| ||||||
| Ffmpeg Search vendor "Ffmpeg" | Ffmpeg Search vendor "Ffmpeg" for product "Ffmpeg" | >= 3.2 < 3.2.6 Search vendor "Ffmpeg" for product "Ffmpeg" and version " >= 3.2 < 3.2.6" | - |
Affected
| ||||||
| Ffmpeg Search vendor "Ffmpeg" | Ffmpeg Search vendor "Ffmpeg" for product "Ffmpeg" | >= 3.3 < 3.3.2 Search vendor "Ffmpeg" for product "Ffmpeg" and version " >= 3.3 < 3.3.2" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||