search

RonenSdemocorp-mend / qt

Testing a repo scan for QT
Other
0 stars 0 forks source link

smplayer4.8.7_x64: 4 vulnerabilities (highest severity is: 9.8) - autoclosed #3

Closed mend-for-github-com[bot] closed 3 months ago

mend-for-github-com[bot] commented 8 months ago
Vulnerable Library - smplayer4.8.7_x64

Free media player with support for Youtube

Library home page: https://sourceforge.net/projects/smplayer/

Vulnerable Source Files (2)

/src/3rdparty/libpng/pngrutil.c /src/3rdparty/libpng/pngpread.c

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (smplayer4.8.7_x64 version) Remediation Possible** Reachability
CVE-2017-12652 Critical 9.8 Not Defined 3.2% detected in multiple dependencies Direct 1.6.32
CVE-2015-8472 High 7.3 Not Defined 12.0% smplayer4.8.7_x64 Direct 1.0.65,1.2.55,1.4.18,1.5.25,1.6.20
CVE-2015-8126 High 7.3 Not Defined 2.1% smplayer4.8.7_x64 Direct 1.0.64,1.2.54,1.4.17,1.5.24,1.6.19
CVE-2019-7317 Medium 5.3 Not Defined 0.5% smplayer4.8.7_x64 Direct 1.6.37

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-12652 ### Vulnerable Libraries - smplayer4.8.7_x64, smplayer4.8.7_x64

### Vulnerability Details

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

Publish Date: 2019-07-10

URL: CVE-2017-12652

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.2%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12652

Release Date: 2019-07-10

Fix Resolution: 1.6.32

CVE-2015-8472 ### Vulnerable Library - smplayer4.8.7_x64

Free media player with support for Youtube

Library home page: https://sourceforge.net/projects/smplayer/

Found in base branch: 4.8

### Vulnerable Source Files (1)

/src/3rdparty/libpng/pngset.c

### Vulnerability Details

Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.

Publish Date: 2016-01-21

URL: CVE-2015-8472

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 12.0%

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8472

Release Date: 2016-01-21

Fix Resolution: 1.0.65,1.2.55,1.4.18,1.5.25,1.6.20

CVE-2015-8126 ### Vulnerable Library - smplayer4.8.7_x64

Free media player with support for Youtube

Library home page: https://sourceforge.net/projects/smplayer/

Found in base branch: 4.8

### Vulnerable Source Files (1)

/src/3rdparty/libpng/pngwutil.c

### Vulnerability Details

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

Publish Date: 2015-11-13

URL: CVE-2015-8126

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.1%

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8126

Release Date: 2015-11-13

Fix Resolution: 1.0.64,1.2.54,1.4.17,1.5.24,1.6.19

CVE-2019-7317 ### Vulnerable Library - smplayer4.8.7_x64

Free media player with support for Youtube

Library home page: https://sourceforge.net/projects/smplayer/

Found in base branch: 4.8

### Vulnerable Source Files (1)

/src/3rdparty/libpng/png.c

### Vulnerability Details

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Publish Date: 2019-02-04

URL: CVE-2019-7317

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317

Release Date: 2019-02-04

Fix Resolution: 1.6.37

mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.