CVE ID:

CVE-2017-9993

Details:

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

References:

:https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
:https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb

ZeroDayLab Assigned Tags:

FILE READ ACCESS
CODING ERROR / DESIGN FLAW
INFORMATION COMPROMISE
VALIDATION VULNERABILITY