VDB

CVE-2017-9993

CVE-2017-9993 PUBLISHED

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

EPSS 56.17% · 98.1th percentile

Risk Scores

EPSS Score
56.17%
98.1th percentile

Affected Products

VendorProductVersions
Ubuntu:16.04:LTSffmpeg*, 0, 7:2.7.2-1build1
Ubuntu:Pro:14.04:LTSlibav0, 6:9.10-1ubuntu1, 6:9.10-1ubuntu2

Timeline

  • Jun 28, 2017 CVE Published
  • Apr 14, 2021 EPSS Score
  • Aug 5, 2024 CVE Updated
  • Mar 17, 2025 EPSS Score
  • Mar 24, 2025 EPSS Score
  • Mar 25, 2025 EPSS Score
  • Apr 6, 2025 EPSS Score
  • Apr 9, 2025 EPSS Score
  • Apr 10, 2025 EPSS Score
  • Apr 11, 2025 EPSS Score
  • Apr 17, 2025 EPSS Score
  • Apr 18, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›