CVE-2022-3964 - OpenCVE

A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

OR	cpe:2.3:a:ffmpeg:ffmpeg::::::::
	cpe:2.3:a:ffmpeg:ffmpeg::::::::
	cpe:2.3:a:ffmpeg:ffmpeg::::::::

No data.

References

Link	Providers
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984
https://security.gentoo.org/glsa/202312-14
https://vuldb.com/?id.213543

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2022-11-13T00:00:00

Updated: 2024-08-03T01:27:53.103Z

Reserved: 2022-11-13T00:00:00

Link: CVE-2022-3964

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-13T08:15:14.657

Modified: 2023-12-23T12:15:21.140

Link: CVE-2022-3964

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3964", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "dateUpdated": "2024-08-03T01:27:53.103Z", "dateReserved": "2022-11-13T00:00:00", "datePublished": "2022-11-13T00:00:00"}, "containers": {"cna": {"title": "ffmpeg QuickTime RPZA Video Encoder rpzaenc.c out-of-bounds", "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-12-23T12:06:18.621160"}, "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543."}], "affected": [{"vendor": "unspecified", "product": "ffmpeg", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984"}, {"url": "https://vuldb.com/?id.213543"}, {"name": "GLSA-202312-14", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202312-14"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-119 Memory Corruption -> CWE-125 Out-of-Bounds Read", "cweId": "CWE-119"}]}], "x_generator": "vuldb.com"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:27:53.103Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984", "tags": ["x_transferred"]}, {"url": "https://vuldb.com/?id.213543", "tags": ["x_transferred"]}, {"name": "GLSA-202312-14", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202312-14"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "078D4A14-B5EA-401E-84E6-3212AAC69A65", "versionEndExcluding": "4.4.4", "versionStartIncluding": "4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CE47406-F17E-4C7D-B924-22DEBD106D45", "versionEndExcluding": "5.0.3", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "952B0691-9892-4CDE-A4E7-1EF0EE51B27B", "versionEndExcluding": "5.1.3", "versionStartIncluding": "5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en ffmpeg y clasificada como problem\u00e1tica. Una parte desconocida del archivo libavcodec/rpzaenc.c del componente QuickTime RPZA Video Encoder. La manipulaci\u00f3n del argumento y_size conduce a una lectura fuera de l\u00edmites. Es posible iniciar el ataque de forma remota. El nombre del parche es 92f9b28ed84a77138105475beba16c146bdaf984. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-213543."}], "id": "CVE-2022-3964", "lastModified": "2023-12-23T12:15:21.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2022-11-13T08:15:14.657", "references": [{"source": "cna@vuldb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984"}, {"source": "cna@vuldb.com", "url": "https://security.gentoo.org/glsa/202312-14"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.213543"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "cna@vuldb.com", "type": "Primary"}]}