{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47607", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-27T20:37:22.119Z", "datePublished": "2024-12-11T19:13:27.569Z", "dateUpdated": "2024-12-12T14:22:58.305Z"}, "containers": {"cna": {"title": "GHSL-2024-116: Stack-buffer overflow in gst_opus_dec_parse_header", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/"}, {"name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch", "tags": ["x_refsource_MISC"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch"}, {"name": "https://gstreamer.freedesktop.org/security/sa-2024-0024.html", "tags": ["x_refsource_MISC"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0024.html"}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"version": "< 1.24.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T19:13:27.569Z"}, "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10."}], "source": {"advisory": "GHSA-xwp8-xrwj-765c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-12T14:22:43.431699Z", "id": "CVE-2024-47607", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T14:22:58.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47607", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-12T14:22:43.431699Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T14:22:54.540Z"}}], "cna": {"title": "GHSL-2024-116: Stack-buffer overflow in gst_opus_dec_parse_header", "source": {"advisory": "GHSA-xwp8-xrwj-765c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gstreamer", "product": "gstreamer", "versions": [{"status": "affected", "version": "< 1.24.10"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/", "name": "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch", "name": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://gstreamer.freedesktop.org/security/sa-2024-0024.html", "name": "https://gstreamer.freedesktop.org/security/sa-2024-0024.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-11T19:13:27.569Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47607", "state": "PUBLISHED", "dateUpdated": "2024-12-12T14:22:58.305Z", "dateReserved": "2024-09-27T20:37:22.119Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-11T19:13:27.569Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*", "matchCriteriaId": "82BF8403-8CE2-4AFC-865F-FD40A77D20E0", "versionEndExcluding": "1.24.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10."}, {"lang": "es", "value": "GStreamer es una librer\u00eda para construir gr\u00e1ficos de componentes de manejo de medios. Se ha detectado un desbordamiento del b\u00fafer de pila en la funci\u00f3n gst_opus_dec_parse_header dentro de `gstopusdec.c'. La matriz pos es un b\u00fafer asignado a la pila de tama\u00f1o 64. Si n_channels supera 64, el bucle for escribir\u00e1 m\u00e1s all\u00e1 de los l\u00edmites de la matriz pos. El valor escrito siempre ser\u00e1 GST_AUDIO_CHANNEL_POSITION_NONE. Este error permite sobrescribir la direcci\u00f3n EIP asignada en la pila. Esta vulnerabilidad se corrigi\u00f3 en 1.24.10."}], "id": "CVE-2024-47607", "lastModified": "2024-12-18T19:53:21.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-12T02:03:32.363", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://gstreamer.freedesktop.org/security/sa-2024-0024.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:11344", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "gstreamer1-plugins-base-0:1.10.4-3.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11344", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "gstreamer1-plugins-good-0:1.10.4-3.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11345", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gstreamer1-plugins-base-0:1.16.1-5.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-18T00:00:00Z"}, {"advisory": "RHSA-2024:11130", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "gstreamer1-plugins-base-0:1.16.1-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11143", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11143", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11143", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11141", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11141", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11141", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11142", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "gstreamer1-plugins-base-0:1.16.1-3.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11123", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "gstreamer1-plugins-base-0:1.22.1-3.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11120", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "gstreamer1-plugins-base-0:1.18.4-7.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11117", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "gstreamer1-plugins-base-0:1.18.4-7.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11118", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "gstreamer1-plugins-base-0:1.22.1-3.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}], "bugzilla": {"description": "gstreamer1-plugins-base: stack-buffer overflow in gst_opus_dec_parse_header", "id": "2331754", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331754"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-121", "details": ["GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.", "A flaw was found in the GStreamer library. A stack buffer overflow in the Opus decoder can cause crashes for certain input files, potentially allowing a malicious third party to trigger an application crash."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47607", "public_date": "2024-12-11T19:13:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47607\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47607\nhttps://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch\nhttps://gstreamer.freedesktop.org/security/sa-2024-0024.html\nhttps://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/"], "statement": "This vulnerability in gst_opus_dec_parse_header is of important severity because it allows an attacker to trigger a stack-based buffer overflow by exceeding the pos array's bounds with unvalidated `n_channels` input. Since the `pos` array is stack-allocated, writing beyond its boundaries can overwrite critical memory regions, including the return address or control data, potentially leading to arbitrary code execution or complete compromise of the affected system. Moreover, the written value, `GST_AUDIO_CHANNEL_POSITION_NONE`, being predictable, may aid attackers in crafting reliable exploits.", "threat_severity": "Important"}