{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47540", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-25T21:46:10.930Z", "datePublished": "2024-12-11T18:54:04.383Z", "dateUpdated": "2024-12-12T14:34:59.985Z"}, "containers": {"cna": {"title": "GHSL-2024-197: GStreamer uses uninitialized stack memory in Matroska/WebM demuxer", "problemTypes": [{"descriptions": [{"cweId": "CWE-457", "lang": "en", "description": "CWE-457: Use of Uninitialized Variable", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/"}, {"name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", "tags": ["x_refsource_MISC"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch"}, {"name": "https://gstreamer.freedesktop.org/security/sa-2024-0017.html", "tags": ["x_refsource_MISC"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0017.html"}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"version": "< 1.24.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T18:54:04.383Z"}, "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10."}], "source": {"advisory": "GHSA-7r72-m3fh-rrfh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-12T14:34:42.237926Z", "id": "CVE-2024-47540", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T14:34:59.985Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47540", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-12T14:34:42.237926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T14:34:55.230Z"}}], "cna": {"title": "GHSL-2024-197: GStreamer uses uninitialized stack memory in Matroska/WebM demuxer", "source": {"advisory": "GHSA-7r72-m3fh-rrfh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"status": "affected", "version": "< 1.24.10"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/", "name": "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", "name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://gstreamer.freedesktop.org/security/sa-2024-0017.html", "name": "https://gstreamer.freedesktop.org/security/sa-2024-0017.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457: Use of Uninitialized Variable"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T18:54:04.383Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47540", "state": "PUBLISHED", "dateUpdated": "2024-12-12T14:34:59.985Z", "dateReserved": "2024-09-25T21:46:10.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-11T18:54:04.383Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*", "matchCriteriaId": "82BF8403-8CE2-4AFC-865F-FD40A77D20E0", "versionEndExcluding": "1.24.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10."}, {"lang": "es", "value": "GStreamer es una librer\u00eda para construir gr\u00e1ficos de componentes de manejo de medios. Se ha identificado una vulnerabilidad de variable de pila no inicializada en la funci\u00f3n gst_matroska_demux_add_wvpk_header dentro de matroska-demux.c. Cuando size &lt; 4, el programa llama a gst_buffer_unmap con una variable de mapa no inicializada. Luego, en la funci\u00f3n gst_memory_unmap, el programa intentar\u00e1 desasignar el b\u00fafer utilizando la variable de mapa no inicializada, lo que provocar\u00e1 un secuestro del puntero de funci\u00f3n, ya que saltar\u00e1 a mem-&gt;allocator-&gt;mem_unmap_full o mem-&gt;allocator-&gt;mem_unmap. Esta vulnerabilidad podr\u00eda permitir que un atacante secuestre el flujo de ejecuci\u00f3n, lo que podr\u00eda provocar la ejecuci\u00f3n del c\u00f3digo. Esta vulnerabilidad se corrigi\u00f3 en 1.24.10."}], "id": "CVE-2024-47540", "lastModified": "2024-12-18T21:53:53.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-12T02:03:28.343", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0017.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:11344", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "gstreamer1-plugins-base-0:1.10.4-3.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11344", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "gstreamer1-plugins-good-0:1.10.4-3.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11299", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gstreamer1-plugins-good-0:1.16.1-5.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11148", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "gstreamer1-plugins-good-0:1.16.1-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11346", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11149", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "gstreamer1-plugins-good-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11348", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "gstreamer1-plugins-good-0:1.16.1-4.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11122", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "gstreamer1-plugins-good-0:1.22.1-3.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11298", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "gstreamer1-plugins-good-0:1.18.4-6.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11119", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "gstreamer1-plugins-good-0:1.18.4-7.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11121", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "gstreamer1-plugins-good-0:1.22.1-3.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}], "bugzilla": {"description": "gstreamer1-plugins-good: uninitialized stack memory in Matroska/WebM demuxer", "id": "2331719", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331719"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-457", "details": ["GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.", "A flaw was found in the Matroska/WebM demuxer in the GStreamer library. Processing a specially crafted input file can cause the usage of uninitialized stack memory, allowing calls to uninitialized function pointers, potentially resulting in code execution or an application crash."], "mitigation": {"lang": "en:us", "value": "Do not process untrusted files with the Matroska/WebM demuxer and monitor application crashes as this may indicate exploitation attempts."}, "name": "CVE-2024-47540", "public_date": "2024-12-11T18:54:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47540\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47540\nhttps://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch\nhttps://gstreamer.freedesktop.org/security/sa-2024-0017.html\nhttps://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/"], "statement": "To exploit this flaw, an attacker needs to trick a user into opening or processing a specially crafted file with the Matroska/WebM demuxer. However, this issue still has an Important severity as it allows an attacker hijack the execution flow of the application, potentially resulting in unexpected behavior, including arbitrary code execution.", "threat_severity": "Important"}