CVE-2023-39018

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which FFmpeg.java uses untrusted input for the path of the executable file.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/bramp/ffmpeg-cli-wrapper/blob/master/src/main/java/net/bramp/ffmpeg/FFmpeg.java
https://github.com/bramp/ffmpeg-cli-wrapper/issues/291	Exploit Issue Tracking Patch
https://github.com/bramp/ffmpeg-cli-wrapper/blob/master/src/main/java/net/bramp/ffmpeg/FFmpeg.java
https://github.com/bramp/ffmpeg-cli-wrapper/issues/291	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:bramp:ffmpeg-cli-wrapper:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-07-28 15:15

Updated : 2024-11-21 08:14

NVD link : CVE-2023-39018

Mitre link : CVE-2023-39018

CVE.ORG link : CVE-2023-39018

JSON object : View

Products Affected

bramp

ffmpeg-cli-wrapper

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2023-39018", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-07-28T15:15:13.227", "references": [{"url": "https://github.com/bramp/ffmpeg-cli-wrapper/blob/master/src/main/java/net/bramp/ffmpeg/FFmpeg.java", "source": "cve@mitre.org"}, {"url": "https://github.com/bramp/ffmpeg-cli-wrapper/issues/291", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/bramp/ffmpeg-cli-wrapper/blob/master/src/main/java/net/bramp/ffmpeg/FFmpeg.java", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/bramp/ffmpeg-cli-wrapper/issues/291", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which FFmpeg.java uses untrusted input for the path of the executable file."}, {"lang": "es", "value": "Se ha descubierto que FFmpeg v0.7.0 e inferiores contienen una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en el componente \"net.bramp.ffmpeg.FFmpeg..\". Esta vulnerabilidad se aprovecha pasando un argumento no comprobado. "}], "lastModified": "2024-11-21T08:14:37.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bramp:ffmpeg-cli-wrapper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "244DDBF7-4158-41C7-8640-ABCAEDB6DDD8", "versionEndIncluding": "0.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}