A vulnerability was found in Bento4 1.5.1-624 (Multimedia Player Software). It has been classified as problematic. This affects the function AP4_SampleDescription::GetFormat of the file Ap4SampleDescription.h of the component mp42ts. The manipulation as part of a MP4 File leads to a out-of-bounds vulnerability. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. This is going to have an impact on availability. The summary by CVE is:

There exists one invalid memory read bug in AP4_SampleDescription::GetFormat() in Ap4SampleDescription.h in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4 file. This vulnerability can be triggered by the executable mp42ts.

The bug was discovered 07/20/2018. The weakness was presented 07/23/2018 (Website). The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2018-14544 since 07/23/2018. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 3 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See 122074 for similar entry.

Productinfo

Type

• Multimedia Player Software

Name

• Bento4

Version

• 1.5.1-624

License

• free

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion