VDB
CVE-2017-9993
CVE-2017-9993
PUBLISHED
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
EPSS 56.17% · 98.1th percentile
Risk Scores
EPSS Score
56.17%
98.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | ffmpeg | *, 0, 7:2.7.2-1build1 |
| Ubuntu:Pro:14.04:LTS | libav | 0, 6:9.10-1ubuntu1, 6:9.10-1ubuntu2 |
Exploit Intelligence
Timeline
- Jun 28, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 5, 2024 CVE Updated
- Mar 17, 2025 EPSS Score
- Mar 24, 2025 EPSS Score
- Mar 25, 2025 EPSS Score
- Apr 6, 2025 EPSS Score
- Apr 9, 2025 EPSS Score
- Apr 10, 2025 EPSS Score
- Apr 11, 2025 EPSS Score
- Apr 17, 2025 EPSS Score
- Apr 18, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-9993 third-party-advisory
- https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021 third-party-advisory
- https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-9993 third-party-advisory