Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
383
VMScore

CVE-2019-13615

Published: 16/07/2019 Updated: 24/08/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Subscribe to Videolan

Vulnerability Summary

libebml prior to 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries prior to 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

videolan vlc media player

Vendor Advisories

Debian CVElist Bug Report Logs: vlc: CVE-2019-13615
Debian Bug report logs - #932241 vlc: CVE-2019-13615 Package: src:vlc; Maintainer for src:vlc is Debian Multimedia Maintainers <debian-multimedia@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 16 Jul 2019 20:39:02 UTC Severity: important Tags: security, upstream Found in versions ...
Ubuntu Security Notice: libebml vulnerability
libEBML could be made to crash if it opened a specially crafted file ...
Arch Linux Issues:
A heap-based out-of-bounds read has been found in the mkv::demux_sys_t::FreeUnused() function of VLC <= 3071 ...

Recent Articles

Dodgy vids can hijack PCs via VLC security flaw, US, Germany warn. Software's makers not app-y with that claim
The Register • Shaun Nichols in San Francisco • 23 Jul 2019

'Fake news!' dev team cries It's 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump

Updated VLC is said to be once again vulnerable to remote-code execution – meaning a booby-trapped video opened by the software could potentially crash the media player, or joyride it to run malware on the host machine. However, the developers of the open-source application, which has been downloaded literally billions of times and used by countless netizens, have disputed this claim, and say it is not possible to exploit the programming blunder. The US government's NIST this month documented ...

Read more...

References

CWE-125https://trac.videolan.org/vlc/ticket/22474http://www.securityfocus.com/bid/109304https://github.com/Matroska-Org/libebml/compare/release-1.3.5...release-1.3.6https://github.com/Matroska-Org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0https://usn.ubuntu.com/4073-1/https://github.com/Matroska-Org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932241https://usn.ubuntu.com/4073-1/https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-29895injectCVE-2023-52689CVE-2024-5049CVE-2024-5051privilege escalationphysicalCVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook