Overview
ffmpeg is a "cross-platform solution to record, convert and stream audio and video". ffmpeg is vulnerable to local file disclosure due to improper enforcement of domain restrictions when processing playlist files.
Description
CWE-201: Information Exposure Through Sent Data - CVE-2016-1897, CVE-2016-1898 When a user opens a maliciously crafted playlist file in ffmpeg, ffmpeg will query a server for remote data. By carefully crafting the playlist, an attacker can cause ffmpeg to request internet URIs that expose file:// content from the victim's machine. CVE-2016-1897 refers to an issue with processing playlists that use concatenations, while CVE-2016-1898 refers to a related issue with subfiles. |
Impact
By causing a specially-crafted playlist file to be processed with ffmpeg or Libav, a remote attacker may acquire file contents from a vulnerable system. In some circumstances, this may occur without explicit user interaction (such as the creation of a thumbnail preview by a file manager). |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Temporal | 3.9 | E:POC/RL:OF/RC:C |
| Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was publicly disclosed by Maxim Andreev.
This document was written by Garret Wassermann and Will Dormann.
Other Information
| CVE IDs: | CVE-2016-1897, CVE-2016-1898 |
| Date Public: | 2016-01-12 |
| Date First Published: | 2016-01-20 |
| Date Last Updated: | 2016-03-10 22:02 UTC |
| Document Revision: | 49 |