CVE-2021-29462

Published: Apr 20, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

Vendor	Product	Versions
pupnp	pupnp	affected `< 1.14.6`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg

x_refsource_CONFIRM

[oss-security] 20210420 DNS rebinding vulnerability in pupnp

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-29462

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References