cvelistv5 - cve-2023-6604

CVE-2023-6604 (GCVE-0-2023-6604)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:41 – Updated: 2025-11-03 19:29

Summary

A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')

Assigner

fedora

References

URL

Tags

https://bugzilla.redhat.com/show_bug.cgi?id=2334337

issue-trackingx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
			Affected: 2.0 , < 6.* (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-6604",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-06T17:05:31.125324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T17:06:30.694Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:29:03.485Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/FFmpeg/FFmpeg",
          "defaultStatus": "unknown",
          "packageName": "FFmpeg",
          "versions": [
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-02-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-99",
              "description": "Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-06T16:41:42.345Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "name": "RHBZ#2334337",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334337"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-06T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-02-26T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Ffmpeg: hls xbin demuxer dos amplification in ffmpeg",
      "x_redhatCweChain": "CWE-99: Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2023-6604",
    "datePublished": "2025-01-06T16:41:42.345Z",
    "dateReserved": "2023-12-08T06:53:59.354Z",
    "dateUpdated": "2025-11-03T19:29:03.485Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 un fallo en FFmpeg. Esta vulnerabilidad permite una carga de CPU adicional inesperada y un consumo de almacenamiento adicional, lo que puede provocar una degradaci\\u00f3n del rendimiento o la denegaci\\u00f3n del servicio mediante la demultiplexaci\\u00f3n de datos arbitrarios como datos con formato XBIN sin una validaci\\u00f3n de formato adecuada.\"}]",
      "id": "CVE-2023-6604",
      "lastModified": "2025-01-06T17:15:14.413",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"patrick@puiterwijk.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2025-01-06T17:15:14.413",
      "references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2334337\", \"source\": \"patrick@puiterwijk.org\"}]",
      "sourceIdentifier": "patrick@puiterwijk.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"patrick@puiterwijk.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-99\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-6604\",\"sourceIdentifier\":\"patrick@puiterwijk.org\",\"published\":\"2025-01-06T17:15:14.413\",\"lastModified\":\"2025-11-03T20:16:07.137\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un fallo en FFmpeg. Esta vulnerabilidad permite una carga de CPU adicional inesperada y un consumo de almacenamiento adicional, lo que puede provocar una degradaci\u00f3n del rendimiento o la denegaci\u00f3n del servicio mediante la demultiplexaci\u00f3n de datos arbitrarios como datos con formato XBIN sin una validaci\u00f3n de formato adecuada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-99\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndIncluding\":\"6.0\",\"matchCriteriaId\":\"DE670466-3267-48D2-A826-99B23F7FBD12\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2334337\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:29:03.485Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-6604\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-06T17:05:31.125324Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-06T17:06:25.115Z\"}}], \"cna\": {\"title\": \"Ffmpeg: hls xbin demuxer dos amplification in ffmpeg\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"lessThan\": \"6.*\", \"versionType\": \"semver\"}], \"packageName\": \"FFmpeg\", \"collectionURL\": \"https://github.com/FFmpeg/FFmpeg\", \"defaultStatus\": \"unknown\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-12-06T00:00:00+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2024-02-26T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2024-02-26T00:00:00.000Z\", \"references\": [{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2334337\", \"name\": \"RHBZ#2334337\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-99\", \"description\": \"Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"shortName\": \"fedora\", \"dateUpdated\": \"2025-01-06T16:41:42.345Z\"}, \"x_redhatCweChain\": \"CWE-99: Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-6604\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T19:29:03.485Z\", \"dateReserved\": \"2023-12-08T06:53:59.354Z\", \"assignerOrgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"datePublished\": \"2025-01-06T16:41:42.345Z\", \"assignerShortName\": \"fedora\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GSD-2023-6604

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2023-6604

Aliases

CVE-2023-6604

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-6604",
    "id": "GSD-2023-6604"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-6604"
      ],
      "id": "GSD-2023-6604",
      "modified": "2023-12-13T01:20:33.028474Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-6604",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

GHSA-J6RQ-MPPC-H3JR

Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-11-03 21:32

Details

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-6604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T17:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.",
  "id": "GHSA-j6rq-mppc-h3jr",
  "modified": "2025-11-03T21:32:03Z",
  "published": "2025-01-06T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6604"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334337"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2023-6604

Vulnerability from fkie_nvd - Published: 2025-01-06 17:15 - Updated: 2025-11-03 20:16

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	patrick@puiterwijk.org	https://bugzilla.redhat.com/show_bug.cgi?id=2334337	Exploit, Issue Tracking, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html

Impacted products

	Vendor	Product	Version
	ffmpeg	ffmpeg	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE670466-3267-48D2-A826-99B23F7FBD12",
              "versionEndIncluding": "6.0",
              "versionStartIncluding": "2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en FFmpeg. Esta vulnerabilidad permite una carga de CPU adicional inesperada y un consumo de almacenamiento adicional, lo que puede provocar una degradaci\u00f3n del rendimiento o la denegaci\u00f3n del servicio mediante la demultiplexaci\u00f3n de datos arbitrarios como datos con formato XBIN sin una validaci\u00f3n de formato adecuada."
    }
  ],
  "id": "CVE-2023-6604",
  "lastModified": "2025-11-03T20:16:07.137",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "patrick@puiterwijk.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-06T17:15:14.413",
  "references": [
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334337"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
    }
  ],
  "sourceIdentifier": "patrick@puiterwijk.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-99"
        }
      ],
      "source": "patrick@puiterwijk.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2024-3759

Vulnerability from csaf_certbund - Published: 2024-12-29 23:00 - Updated: 2025-10-21 22:00

Summary

ffmpeg: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Das FFmpeg-Projekt besteht aus freien Programmen und Bibliotheken, die es ermöglichen, digitales Video- und Audiomaterial aufzunehmen, zu konvertieren, zu streamen und abzuspielen. Zudem enthält es mit libavcodec eine Audio- und Video-Codec-Sammlung, die verschiedene Codecs zur Verfügung stellt.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in ffmpeg ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen und Daten zu manipulieren.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Das FFmpeg-Projekt besteht aus freien Programmen und Bibliotheken, die es erm\u00f6glichen, digitales Video- und Audiomaterial aufzunehmen, zu konvertieren, zu streamen und abzuspielen. Zudem enth\u00e4lt es mit libavcodec eine Audio- und Video-Codec-Sammlung, die verschiedene Codecs zur Verf\u00fcgung stellt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in ffmpeg ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen und Daten zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3759 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3759.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3759 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3759"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2334335 vom 2024-12-29",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2334336 vom 2024-12-29",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334336"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2334337 vom 2024-12-29",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334337"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2334338 vom 2024-12-29",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334338"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4241 vom 2025-07-14",
        "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7830-1 vom 2025-10-21",
        "url": "https://ubuntu.com/security/notices/USN-7830-1"
      }
    ],
    "source_lang": "en-US",
    "title": "ffmpeg: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-10-21T22:00:00.000+00:00",
      "generator": {
        "date": "2025-10-22T08:04:19.295+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2024-3759",
      "initial_release_date": "2024-12-29T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-29T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-10-21T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=6.0",
                "product": {
                  "name": "Open Source ffmpeg \u003c=6.0",
                  "product_id": "T039980"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=6.0",
                "product": {
                  "name": "Open Source ffmpeg \u003c=6.0",
                  "product_id": "T039980-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "ffmpeg"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-6603",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126"
        ],
        "last_affected": [
          "T039980"
        ]
      },
      "release_date": "2024-12-29T23:00:00.000+00:00",
      "title": "CVE-2023-6603"
    },
    {
      "cve": "CVE-2023-6604",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126"
        ],
        "last_affected": [
          "T039980"
        ]
      },
      "release_date": "2024-12-29T23:00:00.000+00:00",
      "title": "CVE-2023-6604"
    },
    {
      "cve": "CVE-2023-6602",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126"
        ],
        "last_affected": [
          "T039980"
        ]
      },
      "release_date": "2024-12-29T23:00:00.000+00:00",
      "title": "CVE-2023-6602"
    },
    {
      "cve": "CVE-2023-6605",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126"
        ],
        "last_affected": [
          "T039980"
        ]
      },
      "release_date": "2024-12-29T23:00:00.000+00:00",
      "title": "CVE-2023-6605"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-6604 (GCVE-0-2023-6604)

GSD-2023-6604

GHSA-J6RQ-MPPC-H3JR

FKIE_CVE-2023-6604

WID-SEC-W-2024-3759

Tags

Sightings

Nomenclature