CVE-2014-9625

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 24 Jan 2020, 21:57
Last modified:06 Aug 2024, 13:47

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
1.63% LOW
2% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

24 Jan 2020, 21:57
Published
Vulnerability first disclosed
06 Aug 2024, 13:47
Last Modified
Vulnerability information updated

Description

The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted update status file, aka an "integer truncation" vulnerability.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.63% Percentile: 82%

Techniques & Countermeasures

  • CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

    The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Affected Systems

  • videolanvlc_media_player

    < 2.1.6

References (3)