CVE-2016-1897

FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.

CVSS v3 5.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://habrahabr.ru/company/mailru/blog/274855	Exploit
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
http://security.stackexchange.com/questions/110644	Exploit
http://www.debian.org/security/2016/dsa-3506
http://www.openwall.com/lists/oss-security/2016/01/14/1
http://www.securityfocus.com/bid/80501
http://www.securitytracker.com/id/1034932
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
http://www.ubuntu.com/usn/USN-2944-1
https://security.gentoo.org/glsa/201606-09
https://security.gentoo.org/glsa/201705-08
https://www.kb.cert.org/vuls/id/772447
http://habrahabr.ru/company/mailru/blog/274855	Exploit
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html
http://security.stackexchange.com/questions/110644	Exploit
http://www.debian.org/security/2016/dsa-3506
http://www.openwall.com/lists/oss-security/2016/01/14/1
http://www.securityfocus.com/bid/80501
http://www.securitytracker.com/id/1034932
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036
http://www.ubuntu.com/usn/USN-2944-1
https://security.gentoo.org/glsa/201606-09
https://security.gentoo.org/glsa/201705-08
https://www.kb.cert.org/vuls/id/772447

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ffmpeg:ffmpeg:2.0:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.0.7:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.7:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.1.8:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.7:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.8:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.9:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.10:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.11:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.12:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.13:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.14:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.15:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.2.16:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.3.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.7:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.8:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.9:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.10:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.11:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.4.12:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.1:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.2:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.3:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.4:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.5:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.6:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.7:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.8:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:2.5.9:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.1:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.2:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.3:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.4:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.5:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.6.6:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.7:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.7.1:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.7.2:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.7.3:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.7.4:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.8:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.8:dev::::::
cpe:2.3:a:ffmpeg:ffmpeg:2.8.1:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.8.2:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.8.3:::::::*
cpe:2.3:a:ffmpeg:ffmpeg:2.8.4:::::::*

Configuration 2 (hide)

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

History

21 Nov 2024, 02:47

Type	Values Removed	Values Added
References	~~() http://habrahabr.ru/company/mailru/blog/274855 - Exploit~~	() http://habrahabr.ru/company/mailru/blog/274855 - Exploit
References	~~() http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html -~~	() http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html -
References	~~() http://security.stackexchange.com/questions/110644 - Exploit~~	() http://security.stackexchange.com/questions/110644 - Exploit
References	~~() http://www.debian.org/security/2016/dsa-3506 -~~	() http://www.debian.org/security/2016/dsa-3506 -
References	~~() http://www.openwall.com/lists/oss-security/2016/01/14/1 -~~	() http://www.openwall.com/lists/oss-security/2016/01/14/1 -
References	~~() http://www.securityfocus.com/bid/80501 -~~	() http://www.securityfocus.com/bid/80501 -
References	~~() http://www.securitytracker.com/id/1034932 -~~	() http://www.securitytracker.com/id/1034932 -
References	~~() http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036 -~~	() http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036 -
References	~~() http://www.ubuntu.com/usn/USN-2944-1 -~~	() http://www.ubuntu.com/usn/USN-2944-1 -
References	~~() https://security.gentoo.org/glsa/201606-09 -~~	() https://security.gentoo.org/glsa/201606-09 -
References	~~() https://security.gentoo.org/glsa/201705-08 -~~	() https://security.gentoo.org/glsa/201705-08 -
References	~~() https://www.kb.cert.org/vuls/id/772447 -~~	() https://www.kb.cert.org/vuls/id/772447 -

Information

Published : 2016-01-15 03:59

Updated : 2024-11-21 02:47

NVD link : CVE-2016-1897

Mitre link : CVE-2016-1897

CVE.ORG link : CVE-2016-1897

JSON object : View

Products Affected

opensuse

leap

canonical

ubuntu_linux

ffmpeg

ffmpeg

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

5.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2016-1897

5.5^/10

4.3^/10

Attach tags to `CVE-2016-1897`