Miggo Logo

CVE-2017-17554: Aubio is vulnerable to a NULL pointer dereference

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.38332%
Published
5/14/2022
Updated
9/6/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
aubiopip< 0.4.70.4.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability report explicitly names aubio_source_avcodec_readframe as the vulnerable function. The GitHub patch adds a NULL check for s->avr in the initialization flow before this function is used, confirming the missing validation was the root cause. Crash analysis shows swr_convert() being called with a NULL avr pointer from this function. The commit message and CWE-476 classification directly map to this NULL dereference scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* NULL point*r **r***r*n** (*oS) Vuln*r**ility w*s *oun* in t** *un*tion `*u*io_sour**_*v*o***_r****r*m*` in io/sour**_*v*o***.* o* *u*io, w*i** m*y l*** to *oS w**n pl*yin* * *r**t** *u*io *il*.

Reasoning

T** vuln*r**ility r*port *xpli*itly n*m*s *u*io_sour**_*v*o***_r****r*m* *s t** vuln*r**l* *un*tion. T** *it*u* p*t** ***s * NULL ****k *or s->*vr in t** initi*liz*tion *low ***or* t*is *un*tion is us**, *on*irmin* t** missin* v*li**tion w*s t** root