CVE-2024-6061

GPAC MP4Box isoffin_read.c isoffin_process infinite loop

Severity Score

4.8

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply a patch to fix this issue. The identifier VDB-268789 was assigned to this vulnerability.

Una vulnerabilidad ha sido encontrada en GPAC 2.5-DEV-rev228-g11067ea92-master y clasificada como problemática. La función isoffin_process del archivo src/filters/isoffin_read.c del componente MP4Box es afectada por esta vulnerabilidad. La manipulación conduce a un bucle infinito. Es posible lanzar el ataque al servidor local. El exploit ha sido divulgado al público y puede utilizarse. El identificador del parche es 20c0f29139a82779b86453ce7f68d0681ec7624c. Se recomienda aplicar un parche para solucionar este problema. A esta vulnerabilidad se le asignó el identificador VDB-268789.

In GPAC 2.5-DEV-rev228-g11067ea92-master wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Hierbei betrifft es die Funktion isoffin_process der Datei src/filters/isoffin_read.c der Komponente MP4Box. Durch Manipulation mit unbekannten Daten kann eine infinite loop-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur öffentlichen Verfügung. Der Patch wird als 20c0f29139a82779b86453ce7f68d0681ec7624c bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.

*Credits: Fantasy

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

None

Availability

Low

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-17 CVE Reserved
2024-06-17 CVE Published
2024-08-01 CVE Updated
2024-08-01 First Exploit
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (5)

URL	Tag	Source
https://github.com/gpac/gpac/issues/2871	Issue Tracking
https://vuldb.com/?id.268789	Technical Description
https://vuldb.com/?submit.356308	Third Party Advisory

URL	Date	SRC
https://github.com/user-attachments/files/15801058/poc1.zip	2024-08-01

URL	Date	SRC
https://github.com/gpac/gpac/commit/20c0f29139a82779b86453ce7f68d0681ec7624c	2024-06-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gpac Search vendor "Gpac"		Gpac Search vendor "Gpac" for product "Gpac"				*		-		Affected