Main Vulnerability Database Vulnerabilities #VU33143

Arbitrary file upload in TagLib - CVE-2017-12678

Published: August 8, 2017 / Updated: August 3, 2020

Vulnerability identifier: #VU33143

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-12678

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TagLib

Affected software:
TagLib

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file.

How to mitigate CVE-2017-12678

Install update from vendor's website.

Sources

https://github.com/taglib/taglib/issues/829
https://github.com/taglib/taglib/pull/831
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97

Arbitrary file upload in TagLib - CVE-2017-12678

Detailed vulnerability description

How to mitigate CVE-2017-12678

Sources

Please verify you're human