CVE-2017-9993

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-9993
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-9993
Downstream
Published
2017-06-28T06:29:00.520Z
Modified
2026-04-16T06:22:54.682594177Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

References

Affected packages

Git / github.com/ffmpeg/ffmpeg

Affected ranges

Type
GIT
Repo
https://github.com/ffmpeg/ffmpeg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ffab459e4e491384756cf8bae0f3922c5e4f6271
Introduced
c40983a6f631d22fede713d535bb9c31d5c9740c
Fixed
a2d9595a4b4e0e6fe85683ff79774fd618b282cc
Introduced
340cea9f22c162e10d120835661e132721b7454b
Fixed
431ccd3f55eae8732fe901622660c52fc712cc25
Introduced
efa89a841941bf61d1a3eb5c2900f98e3e7db85b
Fixed
6d7192bcb7bbab17dc194e8dbb56c208bced0a92
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
140fd653aed8cad774f991ba083e2d01e86420c7
Fixed
189ff4219644532bdfa7bab28dfedaee4d6d4021
Fixed
a5d849b149ca67ced2d271dc84db0bc95a548abb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.8.12"
        },
        {
            "introduced": "3.0"
        },
        {
            "fixed": "3.1.9"
        },
        {
            "introduced": "3.2"
        },
        {
            "fixed": "3.2.6"
        },
        {
            "introduced": "3.3"
        },
        {
            "fixed": "3.3.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        }
    ]
}

Affected versions

Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8
n2.8-dev
n2.8.1
n2.8.10
n2.8.11
n2.8.2
n2.8.3
n2.8.4
n2.8.5
n2.8.6
n2.8.7
n2.8.8
n2.8.9
n2.9-dev
n3.*
n3.1
n3.1-dev
n3.1.1
n3.1.2
n3.1.3
n3.1.4
n3.1.5
n3.1.6
n3.1.7
n3.1.8
n3.2
n3.2-dev
n3.2.1
n3.2.2
n3.2.3
n3.2.4
n3.2.5
n3.3
n3.3-dev
n3.3.1
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
n6.2-dev
n7.*
n7.1-dev
n7.2-dev
n8.*
n8.0

Database specific

vanir_signatures 
[
    {
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
        "target": {
            "function": "read_gab2_sub",
            "file": "libavformat/avidec.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 1723.0,
            "function_hash": "100093900058542799657889733734995495217"
        },
        "id": "CVE-2017-9993-0b18ff5d"
    },
    {
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
        "target": {
            "file": "libavformat/avidec.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2017-9993-193a3aba",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "247647588641104728213418509410831448062",
                "210452344144348706880714598537528074252",
                "114642071758997392080199538347251752333"
            ]
        }
    },
    {
        "source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
        "id": "CVE-2017-9993-1e057fb8",
        "signature_version": "v1",
        "target": {
            "function": "open_url",
            "file": "libavformat/hls.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1418.0,
            "function_hash": "257983092419843509256040459780787130368"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "203502386244361887724902566458987754824",
                "16964987273774486397817083865857283257",
                "141704045537463233543622030142289086163",
                "84024654689120089223240706499637257499",
                "9068505603049988846850622761422986305",
                "326956143841571710063172647790829892873",
                "325329167976874793589187196805427456989",
                "108423924755251432220890115302295076355",
                "192732936803302232881769054923691155627",
                "312204071381423099927987894530916434070",
                "43764614645023624833614649909112426728",
                "314333908702926658478912859270766703185",
                "309502367116977254817880116671407519583"
            ]
        },
        "id": "CVE-2017-9993-fb437f3f",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
        "target": {
            "file": "libavformat/hls.c"
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json"
vanir_signatures_modified 
"2026-04-11T03:11:46Z"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]