Alpine: multiple ffmpeg packages: security update to 2.8.3-r0 (deprecated)

medium Tenable Cloud Security Plugin ID 401096

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the
concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which
the URL string contains the first line of a local file. (CVE-2016-1897)

- FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the
subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which
the URL string contains an arbitrary line of a local file. (CVE-2016-1898)

See Also

https://git.alpinelinux.org/aports/commit/?id=30f737a26499b1a9bbbcc682fa590414b5478ae5

https://git.alpinelinux.org/aports/commit/?id=8c68262f6d9619eceb4ba3e573dce34318e3c3dd

Plugin Details

Severity: Medium

ID: 401096

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2016-1898

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/20/2016

Vulnerability Publication Date: 1/12/2016

Reference Information

CVE: CVE-2016-1897, CVE-2016-1898

BID: 80501