DEBIAN-CVE-2017-9993

DEBIAN-CVE-2017-9993 PUBLISHED CVSS 7.5 HIGH

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Risk Scores

CVSS v3.0

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:13	ffmpeg	0, 0, 0
Debian:11	ffmpeg	0, 0, 0
Debian:14	ffmpeg	0, 0, 0
Debian:12	ffmpeg	0, 0, 0

Timeline

Jun 28, 2017 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2017-9993 advisory

Open in Interactive Console →