Detections
Analytics
VLC Media Player < 2.1.5 Multiple Vulnerabilities
critical Nessus Plugin ID 78626
Language:
Synopsis
The remote Windows host contains a media player that is affected by multiple vulnerabilities.Description
The version of VLC media player installed on the remote host is prior to 2.1.5. It is, therefore, affected by the following vulnerabilities :- An error exists in the png_push_read_chunk() function within the file 'pngpread.c' from the included libpng library that can allow denial of service attacks.
(CVE-2014-0333)
- A buffer overflow error exists in the read_server_hello() function within the file 'lib/gnutls_handshake.c' from the included GnuTLS library that can allow arbitrary code execution or denial of service. (CVE-2014-3466)
- A heap-based buffer overflow error exists in the transcode module due to improper validation of user-supplied input when handling invalid channel counts. An attacker can exploit this to execute arbitrary code. (CVE-2014-6440)
Solution
Upgrade to version 2.1.5 or later.See Also
Plugin Details
Severity: Critical
ID: 78626
File Name: vlc_2_1_5.nasl
Version: 1.5
Type: local
Agent: windows
Family: Windows
Published: 10/22/2014
Updated: 11/26/2019
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2014-6440
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:videolan:vlc_media_player
Required KB Items: installed_sw/VLC media player
Exploit Ease: No known exploits are available
Patch Publication Date: 7/26/2014
Vulnerability Publication Date: 2/25/2014
Reference Information
CVE: CVE-2014-0333, CVE-2014-3466, CVE-2014-6440
CERT: 684412