SB2023092730 - Ubuntu update for minidlna

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023092730

SB2023092730 - Ubuntu update for minidlna

Published: September 27, 2023

Security Bulletin ID SB2023092730
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) DNS rebinding (CVE-ID: CVE-2022-26505)

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform DNS  rebinding attacks.

The vulnerability exists due to the application is prone to DNS rebinding attacks. A remote attacker can trick the victim browser into triggering arbitrary UPnP requests on the local DLNA server and obtain results of such actions, including the ability to read shared files.


2) Out-of-bounds write (CVE-ID: CVE-2023-33476)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when handling HTTP requests using chunked transport encoding. A remote attacker can send a specially crafted HTTP request to the server, trigger an out-of-bounds write and execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References