CVE-2016-1898 Information

Description

FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Reference

http://habrahabr.ru/company/mailru/blog/274855 http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html http://www.debian.org/security/2016/dsa-3506 http://www.openwall.com/lists/oss-security/2016/01/14/1 http://www.securityfocus.com/bid/80501 http://www.securitytracker.com/id/1034932 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.529036 http://www.ubuntu.com/usn/USN-2944-1 https://security.gentoo.org/glsa/201606-09 https://security.gentoo.org/glsa/201705-08 https://www.kb.cert.org/vuls/id/772447

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5