[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: Real player resource exhaustion Vulnerability

To: akshay.vaghela@xxxxxxxxxxxx
Subject: re: Real player resource exhaustion Vulnerability
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Wed, 3 Jul 2013 13:33:53 -0500 (CDT)


: Real player resource exhaustion Vulnerability

: Real Networks Real Player is prone to Resource exhaustion vulnerability.: When processing specially crafted HTML file, Real Player uses a value: from the file to control a loop operation. Real player fails to validate: the value before using it, which leads to DoS / Crash.


: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C)

You should probably re-read the CVSSv2 guide. A context-dependent DoS doesnot warrant C:C or I:C.

AV:N/AC:M/Au:N/C:N/I:N/A:C <- at most, if you score based on the idea ofan "IT asset" being software. The CVSSv2 specs are a bit inconsistent inwording, so some people use this as a guideline.

AV:N/AC:M/Au:N/C:N/I:N/A:P <- if you score based on the strictintention of the CVSSv2 spec, where you score based on *system* impact.


: 2013-00-00: Vendor Fix/Patch
: 2013-06-04: Public Disclosure

When was the fix released?

Where was this disclosed on 2013-06-04, since you posted this to Bugtraqon 2013-07-02??

Prev by Date: Re: Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access
Next by Date: Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability
Previous by thread: Real player resource exhaustion Vulnerability
Next by thread: Re: re: Real player resource exhaustion Vulnerability
Index(es):
- Date
- Thread