edit-icon download-icon

[Vulnerability notice] Remote file reading vulnerability in FFmpeg 2.x

Last Updated: Apr 02, 2018

CVE identifier

None

Vulnerability name

Remote file reading vulnerability in FFmpeg 2.x

Vulnerability description

FFmpeg 2.x is a multimedia encoding and decoding framework. Recently, FFmpeg 2.x has been reported to have high-severity vulnerabilities, CVE-2016-1897 and CVE-2016-1898.

These vulnerabilities allow attackers to remotely steal local files on the server by uploading a crafted HLS slice index file.

Affected scope

  • FFmpeg 2.8.x < 2.8.5
  • FFmpeg 2.7.x < 2.7.5
  • FFmpeg 2.6.x < 2.6.7
  • FFmpeg 2.5.x < 2.5.10

How to fix or mitigate

  • Use Alibaba Cloud Security web application firewall to intercept attack code of the vulnerability.

  • Upgrade FFmpeg to the latest version.

    • Upgrade FFmpeg 2.8.x series to FFmpeg 2.8.5 or a later version.
    • Upgrade FFmpeg 2.7.x series to FFmpeg 2.7.5 or a later version.
    • Upgrade FFmpeg 2.6.x series to FFmpeg 2.6.7 or a later version.
    • Upgrade FFmpeg 2.5.x series to FFmpeg 2.5.10 or a later version.
Thank you! We've received your feedback.