PR #22414 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22414 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22414.patch
A simple (FFmpeg specific) guide how to choose CVSS >From 9272955c661231c2d5bed1ae0e44dace233e2ebd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 6 Mar 2026 02:54:40 +0100 Subject: [PATCH] doc/CVSS A simple (FFmpeg specific) guide how to choose CVSS --- doc/CVSS.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 doc/CVSS.txt diff --git a/doc/CVSS.txt b/doc/CVSS.txt new file mode 100644 index 0000000000..26f25c1171 --- /dev/null +++ b/doc/CVSS.txt @@ -0,0 +1,15 @@ +This document is work in progress +It describes how to select the CVSS for a FFmpeg related CVE. +(bits of text below where stolen from YesWeHack Comments) + +The following are general guidlines and specific cases may differ. + +Not a network component -> Attack Vector : Local + Vulnerabilities where malicious data is received over a network by one component, then passed to a separate component with a vulnerability should be scored with an Attack Vector of Local + +Crashes -> AVAILABILITY IMPACT: Low + In many cases, FFmpeg is executed in a "one shot" manner rather than as a long running service processing sequential user input. In such scenarios, a crash may have limited impact + +Specific Filter Parameters -> User Interaction: Required + An attacker can in general not freely set filter Parameters. It requires the owner of the cloud account, end user or admin to set them. + -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
