{"id":"CVE-2017-9993","details":"FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.","modified":"2026-04-16T06:22:54.682594177Z","published":"2017-06-28T06:29:00.520Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99315"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3957"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"ffab459e4e491384756cf8bae0f3922c5e4f6271"},{"introduced":"c40983a6f631d22fede713d535bb9c31d5c9740c"},{"fixed":"a2d9595a4b4e0e6fe85683ff79774fd618b282cc"},{"introduced":"340cea9f22c162e10d120835661e132721b7454b"},{"fixed":"431ccd3f55eae8732fe901622660c52fc712cc25"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"6d7192bcb7bbab17dc194e8dbb56c208bced0a92"},{"introduced":"0"},{"last_affected":"140fd653aed8cad774f991ba083e2d01e86420c7"},{"fixed":"189ff4219644532bdfa7bab28dfedaee4d6d4021"},{"fixed":"a5d849b149ca67ced2d271dc84db0bc95a548abb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.8.12"},{"introduced":"3.0"},{"fixed":"3.1.9"},{"introduced":"3.2"},{"fixed":"3.2.6"},{"introduced":"3.3"},{"fixed":"3.3.2"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8","n2.8-dev","n2.8.1","n2.8.10","n2.8.11","n2.8.2","n2.8.3","n2.8.4","n2.8.5","n2.8.6","n2.8.7","n2.8.8","n2.8.9","n2.9-dev","n3.1","n3.1-dev","n3.1.1","n3.1.2","n3.1.3","n3.1.4","n3.1.5","n3.1.6","n3.1.7","n3.1.8","n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.3","n3.3-dev","n3.3.1","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev","n4.3-dev","n4.4-dev","n4.5-dev","n5.1-dev","n5.2-dev","n6.1-dev","n6.2-dev","n7.1-dev","n7.2-dev","n8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9993.json","vanir_signatures":[{"digest":{"length":1723,"function_hash":"100093900058542799657889733734995495217"},"deprecated":false,"target":{"function":"read_gab2_sub","file":"libavformat/avidec.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb","signature_type":"Function","signature_version":"v1","id":"CVE-2017-9993-0b18ff5d"},{"id":"CVE-2017-9993-193a3aba","digest":{"line_hashes":["247647588641104728213418509410831448062","210452344144348706880714598537528074252","114642071758997392080199538347251752333"],"threshold":0.9},"target":{"file":"libavformat/avidec.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"deprecated":false,"signature_version":"v1","target":{"function":"open_url","file":"libavformat/hls.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021","signature_type":"Function","id":"CVE-2017-9993-1e057fb8","digest":{"function_hash":"257983092419843509256040459780787130368","length":1418}},{"id":"CVE-2017-9993-fb437f3f","signature_version":"v1","target":{"file":"libavformat/hls.c"},"source":"https://github.com/ffmpeg/ffmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021","deprecated":false,"digest":{"line_hashes":["203502386244361887724902566458987754824","16964987273774486397817083865857283257","141704045537463233543622030142289086163","84024654689120089223240706499637257499","9068505603049988846850622761422986305","326956143841571710063172647790829892873","325329167976874793589187196805427456989","108423924755251432220890115302295076355","192732936803302232881769054923691155627","312204071381423099927987894530916434070","43764614645023624833614649909112426728","314333908702926658478912859270766703185","309502367116977254817880116671407519583"],"threshold":0.9},"signature_type":"Line"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures_modified":"2026-04-11T03:11:46Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}