PT-2022-21195 · Realnetworks · Realplayer

Published

2022-06-03

Updated

2022-06-12

CVE-2022-32270

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Real Player versions 20.0.7.309 through 20.0.8.310

Description The issue allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder, and DLL planting could also occur. The external::Import() function is involved in this issue.

Recommendations For versions 20.0.7.309 and 20.0.8.310, consider disabling the external::Import() function until a patch is available to prevent the download of arbitrary file types and Directory Traversal. Restrict access to the startup folder to minimize the risk of planting executables.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2022-32270

Affected Products

Realplayer

PT-2022-21195 · Realnetworks · Realplayer

CVE-2022-32270

Weakness Enumeration

Related Identifiers

Affected Products

References · 6