CVE-2022-32271 — CRITICAL (9.6)

Vulnerability Description

In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code Execution Vulnerability. This is an internal URL Protocol used by Real Player to reference a file that contains an URL. It is possible to inject script code to arbitrary domains. It is also possible to reference arbitrary local files.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Realnetworks	Realplayer	20.0.8.310

Related Weaknesses (CWE)

CWE-79

References

https://github.com/Edubr2020/RP_DCP_Code_ExecExploitThird Party Advisory
https://youtu.be/AMODp3iTnqYExploitThird Party Advisory
https://github.com/Edubr2020/RP_DCP_Code_ExecExploitThird Party Advisory
https://youtu.be/AMODp3iTnqYExploitThird Party Advisory

FAQ

What is CVE-2022-32271?

CVE-2022-32271 is a vulnerability with a CVSS score of 9.6 (CRITICAL). In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code Execution Vulnerability. This is an internal URL Protocol used by Real Player to reference a file that contains an URL. It is pos...

How severe is CVE-2022-32271?

CVE-2022-32271 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-32271?

Check the references section above for vendor advisories and patch information. Affected products include: Realnetworks Realplayer.