CVE-2023-6605 - Vulnerability Details - OpenCVE

A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2334336

History

Tue, 05 Aug 2025 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:ffmpeg:ffmpeg::::::::

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00083}`	epss `{'score': 0.00085}`

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Jan 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
Title		Ffmpeg: dash playlist ssrf vulnerability in ffmpeg
Weaknesses		CWE-99
References		https://bugzilla.redhat.com/show_bug.cgi?id=2334336
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2025-01-06T16:42:04.611Z

Updated: 2025-01-06T17:04:18.222Z

Reserved: 2023-12-08T06:54:23.453Z

Link: CVE-2023-6605

Vulnrichment

Updated: 2025-01-06T17:04:11.623Z

NVD

Status : Analyzed

Published: 2025-01-06T17:15:14.613

Modified: 2025-08-05T16:58:45.920

Link: CVE-2023-6605

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6605", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2023-12-08T06:54:23.453Z", "datePublished": "2025-01-06T16:42:04.611Z", "dateUpdated": "2025-01-06T17:04:18.222Z"}, "containers": {"cna": {"title": "Ffmpeg: dash playlist ssrf vulnerability in ffmpeg", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs."}], "affected": [{"versions": [{"status": "affected", "version": "2.0", "lessThan": "6.*", "versionType": "semver"}], "packageName": "FFmpeg", "collectionURL": "https://github.com/FFmpeg/FFmpeg", "defaultStatus": "unknown"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334336", "name": "RHBZ#2334336", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-02-26T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-99", "description": "Improper Control of Resource Identifiers ('Resource Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')", "timeline": [{"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-26T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-01-06T16:42:04.611Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T17:03:36.572239Z", "id": "CVE-2023-6605", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T17:04:18.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-6605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T17:03:36.572239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T17:04:11.623Z"}}], "cna": {"title": "Ffmpeg: dash playlist ssrf vulnerability in ffmpeg", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "2.0", "lessThan": "6.*", "versionType": "semver"}], "packageName": "FFmpeg", "collectionURL": "https://github.com/FFmpeg/FFmpeg", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-26T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-02-26T00:00:00+00:00", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334336", "name": "RHBZ#2334336", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-99", "description": "Improper Control of Resource Identifiers ('Resource Injection')"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-01-06T16:42:04.611Z"}, "x_redhatCweChain": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')"}}, "cveMetadata": {"cveId": "CVE-2023-6605", "state": "PUBLISHED", "dateUpdated": "2025-01-06T17:04:18.222Z", "dateReserved": "2023-12-08T06:54:23.453Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2025-01-06T16:42:04.611Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE670466-3267-48D2-A826-99B23F7FBD12", "versionEndIncluding": "6.0", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en FFmpeg's DASH playlist support. Esta vulnerabilidad permite que se realicen solicitudes HTTP GET arbitrarias en nombre de la m\u00e1quina que ejecuta FFmpeg a trav\u00e9s de una lista de reproducci\u00f3n DASH dise\u00f1ada que contiene URL maliciosas."}], "id": "CVE-2023-6605", "lastModified": "2025-08-05T16:58:45.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-06T17:15:14.613", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334336"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}