CVE-2007-0017
CVE-2007-0017 is a medium-severity vulnerability in Videolan Vlc Media Player with a CVSS 2.0 base score of 6.8. Its EPSS exploit-prediction score of 12% places it in the 96th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-134.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 12% (96th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-134
- Affected product: Videolan Vlc Media Player
- Published:
- Last modified:
Description
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Frequently asked questions
- What is CVE-2007-0017?
- Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
- How severe is CVE-2007-0017?
- CVE-2007-0017 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2007-0017 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 12% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2007-0017?
- CVE-2007-0017 primarily affects Videolan Vlc Media Player. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2007-0017?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2007-0017 published?
- CVE-2007-0017 was published on 2007-01-03 and last updated on 2026-06-16.
References
- http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html
- http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html
- http://osvdb.org/31163
- http://projects.info-pull.com/moab/MOAB-02-01-2007.html
- http://secunia.com/advisories/23592
- http://secunia.com/advisories/23829
- http://secunia.com/advisories/23910
- http://secunia.com/advisories/23971
- http://security.gentoo.org/glsa/glsa-200701-24.xml
- http://securitytracker.com/id?1017464
- http://trac.videolan.org/vlc/changeset/18481
- http://www.debian.org/security/2007/dsa-1252
- http://www.novell.com/linux/security/advisories/2007_13_xine.html
- http://www.securityfocus.com/bid/21852
- http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.html
- http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch
- http://www.videolan.org/sa0701.html
- http://www.vupen.com/english/advisories/2007/0026
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31226
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14313
Affected products (10)
- cpe:2.3:a:videolan:vlc_media_player:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.4a:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:videolan:vlc_media_player:0.8.6:*:*:*:*:*:*:*
More vulnerabilities in Videolan Vlc Media Player
- CVE-2008-0296 — Critical (CVSS 10.0): Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows…
- CVE-2023-47359 — Critical (CVSS 9.8): Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in…
- CVE-2019-13962 — Critical (CVSS 9.8): lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer…
- CVE-2019-12874 — Critical (CVSS 9.8): An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through…
- CVE-2017-10699 — Critical (CVSS 9.8): avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write…
- CVE-2016-5108 — Critical (CVSS 9.8): Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4…
All CVEs affecting Videolan Vlc Media Player →
Other CWE-134 vulnerabilities
- CVE-2012-1851 — Critical (CVSS 10.0): Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,…
- CVE-2012-0242 — Critical (CVSS 10.0): Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary…
- CVE-2011-2475 — Critical (CVSS 10.0): Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server…
- CVE-2011-1568 — Critical (CVSS 10.0): Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and…
- CVE-2010-4235 — Critical (CVSS 10.0): Format string vulnerability in RealNetworks Helix Server 12.x, 13.x, and 14.x before 14.2, and Helix Mobile Server…
- CVE-2011-0270 — Critical (CVSS 10.0): Format string vulnerability in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows…