CVE-2019-14437

EPSS 0.57%
Published 29.08.2019 18:15:12
Last modified 21.11.2024 04:26:44
Source cve@mitre.org
CVE-Watchlists
Login
Open
Login

The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly. As a result, a heap-based buffer over-read can be triggered via a crafted .ogg file.

Affected products Warnungen 0 Metrics 3 CWE 2 References 11

Data is provided by the National Vulnerability Database (NVD)

Videolan ≫ Vlc Media Player Version3.0.7.1

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.57%	0.677

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00046.html

https://seclists.org/bugtraq/2019/Aug/36

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/201909-02

https://www.debian.org/security/2019/dsa-4504

Third Party Advisory

https://usn.ubuntu.com/4131-1/

http://git.videolan.org/?p=vlc.git&a=search&h=refs%2Fheads%2Fmaster&st=commit&s=cve-2019

Patch

https://www.videolan.org/security/sb-vlc308.html