7.5

CVE-2017-9993

EPSS 56.17%
Published 28.06.2017 06:29:00
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Ffmpeg ≫ Ffmpeg Version < 2.8.12

Ffmpeg ≫ Ffmpeg Version >= 3.0 < 3.1.9

Ffmpeg ≫ Ffmpeg Version >= 3.2 < 3.2.6

Ffmpeg ≫ Ffmpeg Version >= 3.3 < 3.3.2

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	56.17%	0.98

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://www.debian.org/security/2017/dsa-3957

Third Party Advisory

http://www.securityfocus.com/bid/99315

Third Party Advisory

VDB Entry

https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021

Patch

Third Party Advisory

Issue Tracking

https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb

Patch

Third Party Advisory

Issue Tracking

https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2017-9993

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-9993

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-9993

EUVD