Vulnerability identifier: #VU19232
Vulnerability risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
FFmpeg
Universal components / Libraries /
Libraries used by multiple products
Vendor: ffmpeg.sourceforge.net
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in aa_read_header() function in libavformat/aadec.c. A remote attacker can create a specially crafted media file, trick the victim into opening it, trigger memory corruption and crash the affected application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
FFmpeg: 3.3 - 4.1.3
External links
http://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2
http://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4
http://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b
http://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.