VDB
ALPINE-CVE-2017-9993
ALPINE-CVE-2017-9993
PUBLISHED
CVSS 7.5 HIGH
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
Risk Scores
CVSS 3.0
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.5 | ffmpeg | 0, 0.10-r0, 0.10-r1 |
| Alpine:v3.6 | ffmpeg | 3.0, 1.2.2-r0, 1.2.4-r0 |
| Alpine:v3.4 | ffmpeg | 0, 0.10-r0, 0.10-r1 |
Timeline
- Jun 28, 2017 CVE Published
- Apr 30, 2026 Distribution Patch
- Jul 8, 2026 CVE Updated