VDB

ALPINE-CVE-2017-9993

ALPINE-CVE-2017-9993 PUBLISHED CVSS 7.5 HIGH

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Risk Scores

CVSS 3.0
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Alpine:v3.5ffmpeg0, 0.10-r0, 0.10-r1
Alpine:v3.6ffmpeg3.0, 1.2.2-r0, 1.2.4-r0
Alpine:v3.4ffmpeg0, 0.10-r0, 0.10-r1

Timeline

  • Jun 28, 2017 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›