CVE-2017-9993

HIGH

Ffmpeg < 2.8.12 - Information Disclosure

Title source: rule

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Exploits (2)

github WRITEUP 3,480 stars

by qazbnm456 · poc

https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-9993.md

View Code ZIP pw:eip

github WRITEUP 14 stars

by xbl3 · poc

https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-9993.md

View Code ZIP pw:eip

References (5)

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3957

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/99315

[Issue Tracking, Patch, Third Party Advisory] https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021

[Issue Tracking, Patch, Third Party Advisory] https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html

Scores

CVSS v3 7.5

EPSS 0.5617

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (3)

debian/debian_linux 8.0

debian/debian_linux 9.0

ffmpeg/ffmpeg < 2.8.12

Published Jun 28, 2017

Tracked Since Feb 18, 2026