CVE-2016-1898
MEDIUMFFmpeg 2.x - Unauthenticated Arbitrary File Read via HLS M3U8 Subfile Protocol
Title source: llmDescription
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.
References (11)
Core 11
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034932
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201705-08
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/80501
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2944-1
Vendor Advisory vendor-advisory
x_refsource_slackware
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3506
Exploit x_refsource_misc
http://habrahabr.ru/company/mailru/blog/274855
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201606-09
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/772447
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/14/1
Scores
CVSS v3
5.5
EPSS
0.2783
EPSS Percentile
96.5%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (50)
canonical/ubuntu_linux
12.04
ffmpeg/ffmpeg
2.0
ffmpeg/ffmpeg
2.0.1
ffmpeg/ffmpeg
2.0.2
ffmpeg/ffmpeg
2.0.3
ffmpeg/ffmpeg
2.0.4
ffmpeg/ffmpeg
2.0.5
ffmpeg/ffmpeg
2.0.6
ffmpeg/ffmpeg
2.0.7
ffmpeg/ffmpeg
2.1
... and 40 more
Published
Jan 15, 2016
Tracked Since
Feb 18, 2026