CVE-2020-14212 - FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because

CVE-2020-14212

Summary

FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because dnn_backend_native.c calls ff_dnn_load_model_native and a certain index check is omitted.

References

https://patchwork.ffmpeg.org/project/ffmpeg/list/?series=1463
https://security.gentoo.org/glsa/202007-58
https://trac.ffmpeg.org/ticket/8716

Vulnerable Configurations

cpe:2.3:a:ffmpeg:ffmpeg:4.3:*:*:*:*:*:*:*
cpe:2.3:a:ffmpeg:ffmpeg:4.3:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 18-09-2020 - 17:41)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

gentoo	GLSA-202007-58
misc	https://patchwork.ffmpeg.org/project/ffmpeg/list/?series=1463 https://trac.ffmpeg.org/ticket/8716

Last major update

18-09-2020 - 17:41

Published

16-06-2020 - 22:15

Last modified

18-09-2020 - 17:41