CVE-2016-1897
libav - security update
5.5
MEDIUM
CVSS 3.1
EPSS 52.1%
Description
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
How to fix CVE-2016-1897
To remediate CVE-2016-1897, upgrade the affected package to a fixed version below.
- Debian/ffmpeg—upgrade to 7:2.8.5-1 or later
- —upgrade to 6:0.8.17-2 or later
Is CVE-2016-1897 being exploited?
Likely — EPSS is 52.1%, placing CVE-2016-1897 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 7:2.8.5-1
- from 0, < 6:0.8.17-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |