Vulnerability CVE-2010-0117

Vulnerability Name:

CVE-2010-0117 (CCN-61421)

Assigned:

2010-08-26

Published:

2010-08-26

Updated:

2017-09-19

Summary:

RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-0117

Source: CCN
Type: SA41096
RealPlayer SP Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
41096

Source: CCN
Type: SA41154
RealPlayer Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
41154

Source: CCN
Type: Secunia Research 27/08/2010
RealPlayer YUV420 Transformation Processing Vulnerability

Source: MISC
Type: Vendor Advisory
http://secunia.com/secunia_research/2010-5/

Source: CCN
Type: SECTRACK ID: 1024370
RealPlayer Bugs Let Remote Users Obtain Files and Execute Arbitrary Code

Source: CCN
Type: RealNetworks Web Site
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Source: CONFIRM
Type: Vendor Advisory
http://service.real.com/realplayer/security/08262010_player/en/

Source: CCN
Type: OSVDB ID: 67735
RealPlayer Multiple Products YUV420 Transformation Crafted MP4 Content Handling Arbitrary Code Execution

Source: SECTRACK
Type: UNKNOWN
1024370

Source: VUPEN
Type: UNKNOWN
ADV-2010-2216

Source: XF
Type: UNKNOWN
realplayer-yuv420-code-execution(61421)

Source: XF
Type: UNKNOWN
realplayer-yuv420-code-execution(61421)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:7169

Vulnerable Configuration:

Configuration 1:

cpe:/a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer:11.1:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.1:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.1.2:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.1.3:*:*:*:*:*:*:*

OR cpe:/a:realnetworks:realplayer_sp:1.1.4:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:7169	V	Vulnerability in RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows during YUV420 transformations	2010-11-01

BACK