CVE-2023-6601
EUVD-2023-5882406.01.2025, 17:15
A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| ffmpeg | ffmpeg | 2.0 ≤ 𝑥 ≤ 6.0 |
𝑥
= Vulnerable software versions
openSUSE / SLES Releases
openSUSE Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| libavcodec58_134 |
| ||||||||||
| libavformat58_76 |
| ||||||||||
| libavutil56_70 |
| ||||||||||
| libpostproc55_9 |
| ||||||||||
| libswresample3_9 |
| ||||||||||
| libswscale5_9 |
|
Common Weakness Enumeration
- CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.