SB2016012016 - Information disclosure in ffmpeg (Alpine package)
Published: January 20, 2016
Security Bulletin ID
SB2016012016
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2016-1897)
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
Remediation
Install update from vendor's website.