First published: Wed Apr 24 2019(Updated: )
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Gstreamer Project Gstreamer | <1.16.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
debian/gst-plugins-base1.0 | 1.18.4-2+deb11u2 1.22.0-3+deb12u2 1.24.10-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-9928 is a vulnerability in GStreamer before version 1.16.0 that allows for a heap-based buffer overflow in the RTSP connection parser.
The severity of CVE-2019-9928 is high, with a CVSS score of 8.8.
CVE-2019-9928 allows remote code execution by exploiting a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server.
The affected software versions include gst-plugins-base1.0 (1.14.4-2+deb10u1, 1.14.4-2+deb10u2, 1.18.4-2+deb11u1, 1.22.0-3+deb12u1, 1.22.6-1), gst-plugins-base0.10 (0.10.36-2ubuntu0.2), gst-plugins-base1.0 (1.14.1-1ubuntu1~ubuntu18.04.2, 1.14.4-1ubuntu1.1, 1.15.90-1, 1.16.0), and Gstreamer Project Gstreamer (up to 1.16.0).
To fix the CVE-2019-9928 vulnerability, update the affected software versions to the recommended patches provided by the respective sources (e.g., Debian, Ubuntu).