CVE-2023-39018: There's a code injection vulnerability of `net.bramp.ffmpeg.FFmpeg.<constructor>` · Issue #291 · bramp/ffmpeg-cli-wrapper

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

LetianYuan opened this issue

Jul 20, 2023

· 2 comments

Comments

Affected Version
The latest version 0.7.0 and below.

Describe the vulnerability
net.bramp.ffmpeg.FFmpeg.<constructor> is designed to create an FFmpeg object. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes can lead to the execution of malicious program:

new FFmpeg("C:/Windows/System32/calc.exe");

To Reproduce
Just execute above codes would reproduce it.

Fix Suggestion
Check the parameter of FFmpeg.<constructor> strictly.

It is by design that a user can provide the path to the binary they wish to call for ffmpeg/avconv

What would you suggest instead? As-in what is a concrete suggestion for more strict checking?

It is by design that a user can provide the path to the binary they wish to call for ffmpeg/avconv

What would you suggest instead? As-in what is a concrete suggestion for more strict checking?

Much thanks for your reply. Actually, we’ve sent a mail months ago to discuss this problem, but we got no reply.

I’ll close this issure right now.

2 participants