Saturday, 1 July 2017
On 06:28 by admin in vulns No comments
A vulnerability was found in VideoLAN VLC Media Player up to 2.2.7 and classified as critical. Affected by this issue is the function
memcpy()
of the component avcodec. The manipulation with an unknown input leads to a buffer overflow vulnerability (out-of-bounds). Using CWE to declare the problem leads to CWE-119. Impacted is confidentiality, integrity, and availability.
The weakness was shared 06/30/2017. The advisory is shared for download at trac.videolan.org. This vulnerability is handled as CVE-2017-10699 since 06/30/2017. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 06/30/2017).
Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
CVSSv3
VulDB Base Score: ≈5.5VulDB Temp Score: ≈5.3
VulDB Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:X
VulDB Reliability: Low
CVSSv2
VulDB Base Score: ≈4.1 (CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P)VulDB Temp Score: ≈3.6 (CVSS2#E:ND/RL:OF/RC:ND)
VulDB Reliability: Low
CPE
- cpe:/a:videolan:vlc_media_player:2.2.0
- cpe:/a:videolan:vlc_media_player:2.2.1
- cpe:/a:videolan:vlc_media_player:2.2.2
- cpe:/a:videolan:vlc_media_player:2.2.3
- cpe:/a:videolan:vlc_media_player:2.2.4
- cpe:/a:videolan:vlc_media_player:2.2.5
- cpe:/a:videolan:vlc_media_player:2.2.6
- cpe:/a:videolan:vlc_media_player:2.2.7
Exploiting
Class: Buffer overflow / Out-of-Bounds (CWE-119)Local: Yes
Remote: No
Availability: No
Price Prediction: steady
Current Price Estimation:
0-Day | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
---|---|---|---|---|
Today | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found
Timeline
06/29/2017 Countermeasure disclosed06/30/2017 +1 days Advisory disclosed
06/30/2017 +0 days VulDB entry created
06/30/2017 +0 days CVE assigned
06/30/2017 +0 days VulDB last update
Sources
Advisory: trac.videolan.orgCVE: CVE-2017-10699 (mitre.org) (nvd.nist.org) (cvedetails.com)
Subscribe to:
Post Comments (Atom)
Search
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...

0 comments:
Post a comment