Published: 15/01/2016 Updated: 30/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

FFmpeg 2.x allows remote malicious users to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ffmpeg ffmpeg 2.7.4
ffmpeg ffmpeg 2.7.3
ffmpeg ffmpeg 2.6.2
ffmpeg ffmpeg 2.6.1
ffmpeg ffmpeg 2.5.4
ffmpeg ffmpeg 2.5.3
ffmpeg ffmpeg 2.4.9
ffmpeg ffmpeg 2.4.8
ffmpeg ffmpeg 2.4
ffmpeg ffmpeg 2.3.6
ffmpeg ffmpeg 2.2.16
ffmpeg ffmpeg 2.2.15
ffmpeg ffmpeg 2.2.8
ffmpeg ffmpeg 2.2.7
ffmpeg ffmpeg 2.1.8
ffmpeg ffmpeg 2.1.7
ffmpeg ffmpeg 2.1
ffmpeg ffmpeg 2.0.7
ffmpeg ffmpeg 2.0
ffmpeg ffmpeg 2.8.4
ffmpeg ffmpeg 2.8.3
ffmpeg ffmpeg 2.7.2
ffmpeg ffmpeg 2.7.1
ffmpeg ffmpeg 2.6
ffmpeg ffmpeg 2.5.9
ffmpeg ffmpeg 2.5.2
ffmpeg ffmpeg 2.5.1
ffmpeg ffmpeg 2.4.7
ffmpeg ffmpeg 2.4.6
ffmpeg ffmpeg 2.3.5
ffmpeg ffmpeg 2.3.4
ffmpeg ffmpeg 2.2.14
ffmpeg ffmpeg 2.2.13
ffmpeg ffmpeg 2.2.6
ffmpeg ffmpeg 2.2.5
ffmpeg ffmpeg 2.2.4
ffmpeg ffmpeg 2.1.6
ffmpeg ffmpeg 2.1.5
ffmpeg ffmpeg 2.0.6
ffmpeg ffmpeg 2.0.5
ffmpeg ffmpeg 2.8.2
ffmpeg ffmpeg 2.8.1
ffmpeg ffmpeg 2.7
ffmpeg ffmpeg 2.6.6
ffmpeg ffmpeg 2.6.5
ffmpeg ffmpeg 2.5.8
ffmpeg ffmpeg 2.5.7
ffmpeg ffmpeg 2.5
ffmpeg ffmpeg 2.4.12
ffmpeg ffmpeg 2.4.5
ffmpeg ffmpeg 2.4.4
ffmpeg ffmpeg 2.4.3
ffmpeg ffmpeg 2.3.3
ffmpeg ffmpeg 2.3.2
ffmpeg ffmpeg 2.2.12
ffmpeg ffmpeg 2.2.11
ffmpeg ffmpeg 2.2.3
ffmpeg ffmpeg 2.2.2
ffmpeg ffmpeg 2.1.4
ffmpeg ffmpeg 2.1.3
ffmpeg ffmpeg 2.0.4
ffmpeg ffmpeg 2.0.3
ffmpeg ffmpeg 2.8
ffmpeg ffmpeg 2.6.4
ffmpeg ffmpeg 2.6.3
ffmpeg ffmpeg 2.5.6
ffmpeg ffmpeg 2.5.5
ffmpeg ffmpeg 2.4.11
ffmpeg ffmpeg 2.4.10
ffmpeg ffmpeg 2.4.2
ffmpeg ffmpeg 2.4.1
ffmpeg ffmpeg 2.3
ffmpeg ffmpeg 2.3.1
ffmpeg ffmpeg 2.2.10
ffmpeg ffmpeg 2.2.9
ffmpeg ffmpeg 2.2.1
ffmpeg ffmpeg 2.2
ffmpeg ffmpeg 2.1.2
ffmpeg ffmpeg 2.1.1
ffmpeg ffmpeg 2.0.2
ffmpeg ffmpeg 2.0.1
canonical ubuntu linux 12.04
opensuse leap 42.1

Libav could be made to crash or run programs as your login if it opened a specially crafted file ...

ffmpeg 任意文件读取漏洞/SSRF漏洞（CVE-2016-1897/CVE-2016-1898）运行环境： docker-compose build docker-compose up -d 原理 xdxdlove/2016/01/18/ffmpeg-SSRF%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ blognearglecom/SecNewsBak/drops/CVE-2016-18978%20-%20FFMpeg%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90html ha

备份SecNews失效的Drops.Wooyun文章

README 该项目只用于备份Sec-News上Drops乌云知识库的失效文章，并非Drops整站文章。文章列表如下： drops_arti_list = [ "SQL注入速查表（上）", "WMI Attacks", "攻击洋葱路由(Tor)匿名服务的一些综述", "SQL注入速查表（下）与Oracle注入速查表", "Hacking ipcam like Harold in P

CWE-200 http://security.stackexchange.com/questions/110644 http://www.openwall.com/lists/oss-security/2016/01/14/1 http://habrahabr.ru/company/mailru/blog/274855 http://www.ubuntu.com/usn/USN-2944-1 http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html http://www.securityfocus.com/bid/80501 https://security.gentoo.org/glsa/201606-09 http://www.debian.org/security/2016/dsa-3506 http://www.securitytracker.com/id/1034932 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036 https://www.kb.cert.org/vuls/id/772447 https://security.gentoo.org/glsa/201705-08 https://usn.ubuntu.com/2944-1/https://nvd.nist.gov https://www.kb.cert.org/vuls/id/772447

CVE-2016-1897

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect