CVE-2019-12730

aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
VendorProductVersion
ffmpegffmpeg
𝑥
< 3.2.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ffmpeg
bullseye
7:4.3.7-0+deb11u1
fixed
bullseye (security)
7:4.3.8-0+deb11u1
fixed
bookworm
7:5.1.6-0+deb12u1
fixed
bookworm (security)
7:5.1.6-0+deb12u1
fixed
sid
7:7.1-3
fixed
trixie
7:7.1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ffmpeg
focal
not-affected
eoan
not-affected
disco
ignored
cosmic
ignored
bionic
Fixed 7:3.4.8-0ubuntu0.2
released
xenial
Fixed 7:2.8.17-0ubuntu0.1
released
trusty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/109317
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4
https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b
https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40
https://seclists.org/bugtraq/2019/Aug/30
https://security.gentoo.org/glsa/202003-65
https://usn.ubuntu.com/4431-1/
https://www.debian.org/security/2019/dsa-4502
http://www.securityfocus.com/bid/109317
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4
https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b
https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40
https://seclists.org/bugtraq/2019/Aug/30
https://security.gentoo.org/glsa/202003-65
https://usn.ubuntu.com/4431-1/
https://www.debian.org/security/2019/dsa-4502