CVE-2017-9993
- Source
- https://cve.org/CVERecord?id=CVE-2017-9993
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-9993
- Downstream
- Related
- Published
- 2017-06-28T06:29:00.520Z
- Modified
- 2026-02-17T00:12:37.906639Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
- References
-
- http://www.debian.org/security/2017/dsa-3957
- http://www.securityfocus.com/bid/99315
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
- https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb
- https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html
Affected packages
Git / github.com/ffmpeg/ffmpeg
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
n3.*
n3.2
n3.2-dev
n3.2.1
n3.2.2
n3.2.3
n3.2.4
n3.2.5
n3.3
n3.3-dev
n3.3.1
n3.4-dev
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json"
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
"digest": {
"function_hash": "100093900058542799657889733734995495217",
"length": 1723.0
},
"id": "CVE-2017-9993-0b18ff5d",
"deprecated": false,
"target": {
"file": "libavformat/avidec.c",
"function": "read_gab2_sub"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb",
"digest": {
"line_hashes": [
"247647588641104728213418509410831448062",
"210452344144348706880714598537528074252",
"114642071758997392080199538347251752333"
],
"threshold": 0.9
},
"id": "CVE-2017-9993-193a3aba",
"deprecated": false,
"target": {
"file": "libavformat/avidec.c"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
"digest": {
"function_hash": "257983092419843509256040459780787130368",
"length": 1418.0
},
"id": "CVE-2017-9993-1e057fb8",
"deprecated": false,
"target": {
"file": "libavformat/hls.c",
"function": "open_url"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021",
"digest": {
"line_hashes": [
"203502386244361887724902566458987754824",
"16964987273774486397817083865857283257",
"141704045537463233543622030142289086163",
"84024654689120089223240706499637257499",
"9068505603049988846850622761422986305",
"326956143841571710063172647790829892873",
"325329167976874793589187196805427456989",
"108423924755251432220890115302295076355",
"192732936803302232881769054923691155627",
"312204071381423099927987894530916434070",
"43764614645023624833614649909112426728",
"314333908702926658478912859270766703185",
"309502367116977254817880116671407519583"
],
"threshold": 0.9
},
"id": "CVE-2017-9993-fb437f3f",
"deprecated": false,
"target": {
"file": "libavformat/hls.c"
}
}
]