Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-47774

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-11 Dec, 2024 | 19:15
Updated At-12 Dec, 2024 | 14:15
Rejected At-
Credits

GHSL-2024-262: GStreamer has an OOB-read in gst_avi_subtitle_parse_gab2_chunk

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:11 Dec, 2024 | 19:15
Updated At:12 Dec, 2024 | 14:15
Rejected At:
▼CVE Numbering Authority (CNA)
GHSL-2024-262: GStreamer has an OOB-read in gst_avi_subtitle_parse_gab2_chunk

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.

Affected Products
Vendor
gstreamer
Product
gstreamer
Versions
Affected
  • < 1.24.10
Problem Types
TypeCWE IDDescription
CWECWE-125CWE-125: Out-of-bounds Read
Type: CWE
CWE ID: CWE-125
Description: CWE-125: Out-of-bounds Read
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer/
x_refsource_CONFIRM
https://github.com/github/securitylab-vulnerabilities/issues/1826
x_refsource_MISC
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patch
x_refsource_MISC
Hyperlink: https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer/
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/github/securitylab-vulnerabilities/issues/1826
Resource:
x_refsource_MISC
Hyperlink: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patch
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Dec, 2024 | 02:03
Updated At:18 Dec, 2024 | 21:36

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CPE Matches
gstreamer_project
gstreamer_project
>>gstreamer>>Versions before 1.24.10(exclusive)
cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-125Primarysecurity-advisories@github.com
CWE ID: CWE-125
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/github/securitylab-vulnerabilities/issues/1826security-advisories@github.com
Broken Link
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patchsecurity-advisories@github.com
Patch
https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer/security-advisories@github.com
Third Party Advisory
Hyperlink: https://github.com/github/securitylab-vulnerabilities/issues/1826
Source: security-advisories@github.com
Resource:
Broken Link
Hyperlink: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patch
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer/
Source: security-advisories@github.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found