CVE-2017-9993
7.5
HIGH
CVSS 3.1
EPSS 56.2%
Description
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
How to fix CVE-2017-9993
To remediate CVE-2017-9993, upgrade the affected package to a fixed version below.
- Alpine/ffmpeg—upgrade to 3.1.9-r0 or later
- Debian/ffmpeg—upgrade to 7:3.2.6-1 or later
Is CVE-2017-9993 being exploited?
Likely — EPSS is 56.2%, placing CVE-2017-9993 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 3.1.9-r0
- from 0, < 7:3.2.6-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |