-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Raspberry Pi4
-
Raspberry Pi 4
The AGL mediaplayer is remotely opening ports without an authentication process,
allowing any user to connect and freely manipulate the mediaplayer.
All mediaplayer commands such as playing and stopping music can be controlled,
and it's even possible to forcibly terminate the mediaplayer.
I checked it using raspberry pi4.
I could also see the media player being operated, such as playing and stopping a song, on the screen.
When I send 'kill' command, the mediaplayer is dead.
The following is the journalctl log.
I think it's similar to CVE-2022-24595 vulnerability.
(https://nvd.nist.gov/vuln/detail/CVE-2022-24595)
I checked this vulnerability at 16.92.0 version.