First published: Wed Jun 28 2017(Updated: )
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/ffmpeg | 7:4.1.9-0+deb10u1 7:4.1.11-0+deb10u1 7:4.3.6-0+deb11u1 7:5.1.3-1 7:6.0-7 | |
FFmpeg FFmpeg | <2.8.12 | |
FFmpeg FFmpeg | >=3.0<3.1.9 | |
FFmpeg FFmpeg | >=3.2<3.2.6 | |
FFmpeg FFmpeg | >=3.3<3.3.2 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.