Information disclosure in FFmpeg - CVE-2016-1897
Published: January 15, 2016 / Updated: July 28, 2020
Vulnerability identifier: #VU32353
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-1897
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
FFmpeg
FFmpeg
Software vendor:
ffmpeg.sourceforge.net
ffmpeg.sourceforge.net
Description
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
Remediation
Install update from vendor's website.
External links
- http://habrahabr.ru/company/mailru/blog/274855
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
- http://security.stackexchange.com/questions/110644
- http://www.debian.org/security/2016/dsa-3506
- http://www.openwall.com/lists/oss-security/2016/01/14/1
- http://www.securityfocus.com/bid/80501
- http://www.securitytracker.com/id/1034932
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
- http://www.ubuntu.com/usn/USN-2944-1
- https://security.gentoo.org/glsa/201606-09
- https://security.gentoo.org/glsa/201705-08
- https://www.kb.cert.org/vuls/id/772447