Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2005-2922

Heap-based buffer overflow in the embedded player in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, and Helix Player allows remote malicious servers to cause a denial of service (crash) and possibly execute arbitrary code via a chunked Transfer-Encoding HTTP response in which either (1) the chunk header length is specified as -1, (2) the chunk header with a length that is less than the actual amount of sent data, or (3) a missing chunk header.

Published

2005-12-31T05:00:00.000

Last Modified

2025-04-03T01:03:51.193

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 9.3 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
CWE-119

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	realnetworks	helix_player	10.0	Yes
Application	realnetworks	helix_player	10.0.1	Yes
Application	realnetworks	helix_player	10.0.2	Yes
Application	realnetworks	helix_player	10.0.3	Yes
Application	realnetworks	helix_player	10.0.4	Yes
Application	realnetworks	helix_player	10.0.5	Yes
Application	realnetworks	helix_player	10.0.6	Yes
Application	realnetworks	realone_player	*	Yes
Application	realnetworks	realone_player	0.288	Yes
Application	realnetworks	realone_player	0.297	Yes
Application	realnetworks	realone_player	1.0	Yes
Application	realnetworks	realone_player	2.0	Yes
Application	realnetworks	realplayer	*	Yes
Application	realnetworks	realplayer	8.0	Yes
Application	realnetworks	realplayer	10.0	Yes
Application	realnetworks	realplayer	10.0.0.305	Yes
Application	realnetworks	realplayer	10.0.0.331	Yes
Application	realnetworks	realplayer	10.0.1	Yes
Application	realnetworks	realplayer	10.0.2	Yes
Application	realnetworks	realplayer	10.0.3	Yes
Application	realnetworks	realplayer	10.0.4	Yes
Application	realnetworks	realplayer	10.0.5	Yes
Application	realnetworks	realplayer	10.0.6	Yes
Application	realnetworks	realplayer	10.5	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1040	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1053	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1056	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1059	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1069	Yes
Application	realnetworks	realplayer	10.5_6.0.12.1235	Yes
Application	realnetworks	rhapsody	3.0	Yes
Application	realnetworks	rhapsody	3.0_build_0.815	Yes

References

http://secunia.com/advisories/19358 Vendor Advisory ([email protected])
http://secunia.com/advisories/19365 Patch, Vendor Advisory ([email protected])
http://securitytracker.com/id?1015808 ([email protected])
http://www.kb.cert.org/vuls/id/172489 Patch, Third Party Advisory, US Government Resource ([email protected])
http://www.novell.com/linux/security/advisories/2006_18_realplayer.html Patch, Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2005-762.html Patch, Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2005-788.html Patch, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/17202 Exploit ([email protected])
http://www.service.real.com/realplayer/security/03162006_player/en/ Patch ([email protected])
http://www.vupen.com/english/advisories/2006/1057 Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/25409 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11444 ([email protected])
http://secunia.com/advisories/19358 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19365 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1015808 (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/172489 Patch, Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.novell.com/linux/security/advisories/2006_18_realplayer.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2005-762.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2005-788.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/17202 Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://www.service.real.com/realplayer/security/03162006_player/en/ Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/1057 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/25409 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11444 (af854a3a-2127-422b-91ae-364da2661108)