Resource exhaustion in Bento4

#VU36188 Resource exhaustion in Bento4

Published: 2019-01-26 | Updated: 2020-08-08

Vulnerability identifier: #VU36188

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6966

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Bento4
Universal components / Libraries / Libraries used by multiple products

Vendor: axiomatic-systems

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Bento4 1.5.1-628. The AP4_ElstAtom class in Core/Ap4ElstAtom.cpp has an attempted excessive memory allocation related to AP4_Array<AP4_ElstEntry>::EnsureCapacity in Core/Ap4Array.h, as demonstrated by mp42hls.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Bento4: 1.5.1-628

External links
http://github.com/axiomatic-systems/Bento4/issues/361

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in axiomatic-systems Bento4