Main Vulnerability Database Vulnerabilities #VU35898

Use-after-free in miniupnpd - CVE-2019-12106

Published: May 16, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35898

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-12106

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: miniupnpd

Affected software:
miniupnpd

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process due to a Use After Free vulnerability.

How to mitigate CVE-2019-12106

Install update from vendor's website.

Sources

https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f
https://lists.debian.org/debian-lts-announce/2019/05/msg00037.html
https://www.vdoo.com/blog/security-issues-discovered-in-miniupnp

Use-after-free in miniupnpd - CVE-2019-12106

Detailed vulnerability description

How to mitigate CVE-2019-12106

Sources

Please verify you're human