CVE-2013-3245

2013-07-1000:00:00

ubuntu.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS

0.008

Percentile

81.9%

JSON

DISPUTED plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player
2.0.7, and possibly other versions, allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a crafted
MKV file, possibly involving an integer overflow and out-of-bounds read or
heap-based buffer overflow, or an uncaught exception. NOTE: the vendor
disputes the severity and claimed vulnerability type of this issue, stating
“This PoC crashes VLC, indeed, but does nothing more… this is not an
integer overflow error, but an uncaught exception and I doubt that it is
exploitable. This uncaught exception makes VLC abort, not execute random
code, on my Linux 64bits machine.” A PoC posted by the original researcher
shows signs of an attacker-controlled out-of-bounds read, but the affected
instruction does not involve a register that directly influences control
flow.

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchvlc< 2.0.8-0ubuntu0.12.04.1UNKNOWN
ubuntu12.10noarchvlc< 2.0.8-0ubuntu0.12.10.1UNKNOWN
ubuntu13.04noarchvlc< 2.0.8-0ubuntu0.13.04.1UNKNOWN
ubuntu13.10noarchvlc< 2.0.8-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	vlc	< 2.0.8-0ubuntu0.12.04.1	UNKNOWN
ubuntu	12.10	noarch	vlc	< 2.0.8-0ubuntu0.12.10.1	UNKNOWN
ubuntu	13.04	noarch	vlc	< 2.0.8-0ubuntu0.13.04.1	UNKNOWN
ubuntu	13.10	noarch	vlc	< 2.0.8-1	UNKNOWN