FFmpeg up to 3.4.2 XML File libavformat/img2dec.c svg_probe resource management
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
5.8 | $0-$5k | 0.00 |
A vulnerability was found in FFmpeg up to 3.4.2 (Multimedia Processing Software). It has been rated as problematic. Affected by this issue is the function svg_probe
of the file libavformat/img2dec.c of the component XML File Handler. The manipulation with an unknown input leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is availability. CVE summarizes:
The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (Infinite Loop) via a crafted XML file.
The bug was discovered 03/10/2018. The weakness was published 04/24/2018 as confirmed git commit (GIT Repository). The advisory is shared for download at git.ffmpeg.org. This vulnerability is handled as CVE-2018-7751 since 03/07/2018. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available.
The vulnerability was handled as a non-public zero-day exploit for at least 45 days. During that time the estimated underground price was around $0-$5k.
Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.ffmpeg.org.
The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 103956†).
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.8
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.5
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: git.ffmpeg.org
Timeline
03/07/2018 🔍03/10/2018 🔍
04/24/2018 🔍
04/24/2018 🔍
04/24/2018 🔍
04/25/2018 🔍
03/07/2023 🔍
Sources
Product: ffmpeg.orgAdvisory: a6cba062051f345e8ebfdff34aba071ed73d923f
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2018-7751 (🔍)
SecurityFocus: 103956 - FFmpeg 'libavformat/img2dec.c' Denial of Service Vulnerability
Entry
Created: 04/25/2018 08:48 AMUpdated: 03/07/2023 02:53 PM
Changes: 04/25/2018 08:48 AM (63), 01/31/2020 01:52 PM (4), 03/07/2023 02:53 PM (4)
Complete: 🔍
Cache ID: 18:272:40
No comments yet. Languages: en.
Please log in to comment.