{"id":"CVE-2020-23931","details":"An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.","modified":"2026-04-11T11:23:17.913585Z","published":"2021-04-21T18:15:08.460Z","references":[{"type":"ADVISORY","url":"https://cwe.mitre.org/data/definitions/126.html"},{"type":"ADVISORY","url":"https://github.com/gpac/gpac/issues/1564"},{"type":"ADVISORY","url":"https://github.com/gpac/gpac/issues/1567"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/093283e727f396130651280609e687cd4778e0d1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"d8538e8ae946b32d99c6b2c57cbb327146e9cd9d"},{"fixed":"093283e727f396130651280609e687cd4778e0d1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-23931.json","vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["277314140755109788143371680737817935350","232298900907090425745542428086106690466","3118555948760694791857422061136681976","201378029659621369504049888146417231228","9646116961418797508868064954538204670","69321621431637036410176467835980366341","179295534402896864219949575062942359518","6073203465298130345089151230691735587","281553742345317534852341050203622150490","35217966715946227375059836035260457811","106706448532342260716031826842529321344","127513953071112332676161738261724570753","218351240816685984196541729611924717816","180297467491725175461681799813821484237","3425233682095334149993458314078368289","131565954702825122889234981199252575761","77084698175041836346986895808166449474","35217966715946227375059836035260457811","106706448532342260716031826842529321344","127513953071112332676161738261724570753","178360246867399373236993985668530630846","104288676199915675063543297821355467916","177545270537430980269190602498644334325","194420556531594294546512662945502885704","201378029659621369504049888146417231228","79373116797220537460242813970099324782","104288676199915675063543297821355467916","177545270537430980269190602498644334325","194420556531594294546512662945502885704","201378029659621369504049888146417231228","52717418115184172042096511791401135732","162771469340685932696897447296929405192","220737230477673242185344055871594741219","297854710510699809118140348165141510714","161471613187234014298684317631809878358","193858737870657532089767597190897696650"]},"id":"CVE-2020-23931-20000af6","target":{"file":"src/isomedia/box_code_adobe.c"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/gpac/gpac/commit/093283e727f396130651280609e687cd4778e0d1"},{"deprecated":false,"digest":{"length":2702,"function_hash":"224388991912088206730772079559689292973"},"id":"CVE-2020-23931-59295b71","target":{"file":"src/isomedia/box_code_adobe.c","function":"abst_box_read"},"signature_version":"v1","signature_type":"Function","source":"https://github.com/gpac/gpac/commit/093283e727f396130651280609e687cd4778e0d1"}],"vanir_signatures_modified":"2026-04-11T11:23:17Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"}]}