Information disclosure in FFmpeg - CVE-2016-1898
Published: January 15, 2016 / Updated: July 28, 2020
Vulnerability identifier: #VU32354
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-1898
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
FFmpeg
FFmpeg
Software vendor:
ffmpeg.sourceforge.net
ffmpeg.sourceforge.net
Description
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.
Remediation
Install update from vendor's website.
External links
- http://habrahabr.ru/company/mailru/blog/274855
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
- http://www.debian.org/security/2016/dsa-3506
- http://www.openwall.com/lists/oss-security/2016/01/14/1
- http://www.securityfocus.com/bid/80501
- http://www.securitytracker.com/id/1034932
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
- http://www.ubuntu.com/usn/USN-2944-1
- https://security.gentoo.org/glsa/201606-09
- https://security.gentoo.org/glsa/201705-08
- https://www.kb.cert.org/vuls/id/772447