{"id":"CVE-2017-9993","details":"FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.","modified":"2026-02-24T11:24:49.113700Z","published":"2017-06-28T06:29:00.520Z","related":["MGASA-2018-0008"],"references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3957"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99315"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"},{"type":"REPORT","url":"https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"type":"REPORT","url":"https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"introduced":"0"},{"fixed":"a5d849b149ca67ced2d271dc84db0bc95a548abb"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"431ccd3f55eae8732fe901622660c52fc712cc25"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"a2d9595a4b4e0e6fe85683ff79774fd618b282cc"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"6d7192bcb7bbab17dc194e8dbb56c208bced0a92"}]}],"versions":["n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.3","n3.3-dev","n3.3.1","n3.4-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9993.json","vanir_signatures":[{"source":"https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb","signature_type":"Function","target":{"function":"read_gab2_sub","file":"libavformat/avidec.c"},"signature_version":"v1","id":"CVE-2017-9993-0b18ff5d","digest":{"function_hash":"100093900058542799657889733734995495217","length":1723},"deprecated":false},{"source":"https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb","signature_type":"Line","target":{"file":"libavformat/avidec.c"},"signature_version":"v1","id":"CVE-2017-9993-193a3aba","digest":{"threshold":0.9,"line_hashes":["247647588641104728213418509410831448062","210452344144348706880714598537528074252","114642071758997392080199538347251752333"]},"deprecated":false},{"source":"https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021","signature_type":"Function","target":{"function":"open_url","file":"libavformat/hls.c"},"signature_version":"v1","id":"CVE-2017-9993-1e057fb8","digest":{"function_hash":"257983092419843509256040459780787130368","length":1418},"deprecated":false},{"source":"https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021","signature_type":"Line","target":{"file":"libavformat/hls.c"},"signature_version":"v1","id":"CVE-2017-9993-fb437f3f","digest":{"threshold":0.9,"line_hashes":["203502386244361887724902566458987754824","16964987273774486397817083865857283257","141704045537463233543622030142289086163","84024654689120089223240706499637257499","9068505603049988846850622761422986305","326956143841571710063172647790829892873","325329167976874793589187196805427456989","108423924755251432220890115302295076355","192732936803302232881769054923691155627","312204071381423099927987894530916434070","43764614645023624833614649909112426728","314333908702926658478912859270766703185","309502367116977254817880116671407519583"]},"deprecated":false}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"127fc5dcc66b799f47a84746cc3ea4dec694eff2"},{"fixed":"b9e5c3e19c78954aa0d79512738c0f83cb8f8d21"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9993.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}