Remote Code Execution Vulnerability in GStreamer EXIF Metadata Parsing by Freedesktop
CVE-2024-4453

7.8HIGH

Key Information:

Vendor: Gstreamer
Status: Gstreamer
Vendor: CVE Published:; 22 May 2024

What is CVE-2024-4453?

This vulnerability pertains to the GStreamer library, specifically its handling of EXIF metadata parsing. A flaw arises from insufficient validation of user-supplied data, leading to an integer overflow prior to buffer allocation. As a result, an attacker could exploit this issue to execute arbitrary code within the context of the current process. Proper implementation and interaction with this library are necessary for exploitation, highlighting the need for users and developers to apply the latest security patches and enhancements to safeguard against such attacks.

Affected Version(s)

GStreamer fc0ef6ede6ceda8c89326b38899d4944a8091f40 and 1.24.0

References

https://www.zerodayinitiative.com/advisories/ZDI-24-467/

x_research-advisory

https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68...

vendor-advisory

https://lists.debian.org/debian-lts-announce/2024/05/msg0...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2024

JSON

Gstreamer

What is CVE-2024-4453?

Affected Version(s)

References

CVSS V3.1

Timeline