{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47539", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-25T21:46:10.930Z", "datePublished": "2024-12-11T18:53:00.750Z", "dateUpdated": "2024-12-11T21:41:10.528Z"}, "containers": {"cna": {"title": "GHSL-2024-195: GStreamer has an OOB-write in convert_to_s334_1a", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/"}, {"name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", "tags": ["x_refsource_MISC"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch"}, {"name": "https://gstreamer.freedesktop.org/security/sa-2024-0007.html", "tags": ["x_refsource_MISC"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0007.html"}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"version": "< 1.24.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T18:53:00.750Z"}, "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10."}], "source": {"advisory": "GHSA-c89v-2mmr-7cr9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-11T21:41:01.424458Z", "id": "CVE-2024-47539", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T21:41:10.528Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47539", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-11T21:41:01.424458Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T21:41:06.958Z"}}], "cna": {"title": "GHSL-2024-195: GStreamer has an OOB-write in convert_to_s334_1a", "source": {"advisory": "GHSA-c89v-2mmr-7cr9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"status": "affected", "version": "< 1.24.10"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/", "name": "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", "name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://gstreamer.freedesktop.org/security/sa-2024-0007.html", "name": "https://gstreamer.freedesktop.org/security/sa-2024-0007.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T18:53:00.750Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47539", "state": "PUBLISHED", "dateUpdated": "2024-12-11T21:41:10.528Z", "dateReserved": "2024-09-25T21:46:10.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-11T18:53:00.750Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*", "matchCriteriaId": "82BF8403-8CE2-4AFC-865F-FD40A77D20E0", "versionEndExcluding": "1.24.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10."}, {"lang": "es", "value": "GStreamer es una librer\u00eda para construir gr\u00e1ficos de componentes de manejo de medios. Se identific\u00f3 una vulnerabilidad de escritura fuera de los l\u00edmites en la funci\u00f3n convert_to_s334_1a en isomp4/qtdemux.c. La vulnerabilidad surge debido a una discrepancia entre el tama\u00f1o de la memoria asignada a la matriz de almacenamiento y la condici\u00f3n del bucle i * 2 &lt; ccpair_size. Espec\u00edficamente, cuando ccpair_size es par, el tama\u00f1o asignado en el almacenamiento no coincide con los l\u00edmites esperados del bucle, lo que resulta en una escritura fuera de los l\u00edmites. Este error permite la sobrescritura de hasta 3 bytes m\u00e1s all\u00e1 de los l\u00edmites asignados de la matriz de almacenamiento. Esta vulnerabilidad se corrigi\u00f3 en 1.24.10."}], "id": "CVE-2024-47539", "lastModified": "2024-12-18T21:52:56.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-12T02:03:28.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0007.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:11299", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gstreamer1-plugins-good-0:1.16.1-5.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11148", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "gstreamer1-plugins-good-0:1.16.1-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11348", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "gstreamer1-plugins-good-0:1.16.1-4.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11122", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "gstreamer1-plugins-good-0:1.22.1-3.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11298", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "gstreamer1-plugins-good-0:1.18.4-6.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11119", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "gstreamer1-plugins-good-0:1.18.4-7.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11121", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "gstreamer1-plugins-good-0:1.22.1-3.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}], "bugzilla": {"description": "gstreamer1-plugins-good: OOB-write in convert_to_s334_1a", "id": "2331726", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331726"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.", "A flaw was found in the GStreamer library. An out-of-bounds write in the MP4/MOV demuxer when handling CEA608 Closed Caption tracks can lead to crashes for certain input files. This vulnerability allows a malicious third party to trigger a crash of the application and perform code execution through heap manipulation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47539", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gstreamer1-plugins-good", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-12-11T18:53:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47539\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47539\nhttps://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch\nhttps://gstreamer.freedesktop.org/security/sa-2024-0007.html\nhttps://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/"], "statement": "This vulnerability classified as important severity rather than moderate due to its potential for out-of-bounds memory writes, which are highly exploitable in many scenarios. The discrepancy between the memory allocation and loop bounds allows overwriting up to 3 bytes beyond the intended storage array, which could corrupt adjacent memory. Depending on the execution context, this could lead to critical security consequences, such as the alteration of control structures, heap corruption, or stack manipulation, opening paths for arbitrary code execution or escalation of privileges.", "threat_severity": "Important"}