CVE-2017-9993

HIGH7.5EPSS 56.2%

Published: 6/28/2017Modified: 4/28/2026

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Affected packages (2)

Alpine/ffmpegfrom 0, < 3.1.9-r0
Debian/ffmpegfrom 0, < 7:3.2.6-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2017-9993
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-9993