CVE-2014-9627 - OpenCVE

The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Videolan	Vlc Media Player

Configuration 1 [-]

cpe:2.3:a:videolan:vlc_media_player:*:*:*:*:*:*:*:*

References

Link	Resource
http://openwall.com/lists/oss-security/2015/01/20/5	Mailing List Patch Third Party Advisory
https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39	Patch Third Party Advisory
https://www.videolan.org/security/sa1501.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-24T21:57:23

Updated: 2020-01-24T21:57:23

Reserved: 2015-01-20T00:00:00

Link: CVE-2014-9627

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-24T22:15:12.440

Modified: 2020-01-29T20:24:47.423

Link: CVE-2014-9627

JSON object: View

Redhat Information

No data.

CWE

CWE-704

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-05T00:00:00", "descriptions": [{"lang": "en", "value": "The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-24T21:57:23", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://openwall.com/lists/oss-security/2015/01/20/5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.videolan.org/security/sa1501.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9627", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://openwall.com/lists/oss-security/2015/01/20/5", "refsource": "MISC", "url": "http://openwall.com/lists/oss-security/2015/01/20/5"}, {"name": "https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39", "refsource": "MISC", "url": "https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39"}, {"name": "https://www.videolan.org/security/sa1501.html", "refsource": "CONFIRM", "url": "https://www.videolan.org/security/sa1501.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9627", "datePublished": "2020-01-24T21:57:23", "dateReserved": "2015-01-20T00:00:00", "dateUpdated": "2020-01-24T21:57:23", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:videolan:vlc_media_player:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E9B8F06-93FB-4A2B-B550-A30BD8F1C5D6", "versionEndExcluding": "2.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size."}, {"lang": "es", "value": "La funci\u00f3n MP4_ReadBox_String en el archivo modules/demux/mp4/libmp4.c en el reproductor multimedia VLC de VideoLAN versiones anteriores a 2.1.6, realiza una operaci\u00f3n de conversi\u00f3n incorrecta de un entero de 64 bits a un entero de 32 bits, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio o posiblemente tener otro impacto no especificado por medio de un tama\u00f1o de caja grande."}], "id": "CVE-2014-9627", "lastModified": "2020-01-29T20:24:47.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-24T22:15:12.440", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2015/01/20/5"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.videolan.org/security/sa1501.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-704"}], "source": "nvd@nist.gov", "type": "Primary"}]}