Main Vulnerability Database Vulnerabilities #VU52464

#VU52464 DNS-rebinding in PUPnP - CVE-2021-29462

Published: April 21, 2021

Vulnerability identifier: #VU52464

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-29462

CWE-ID: CWE-350

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PUPnP

Software vendor:
pupnp

Description

The vulnerability allows a remote attacker to perform DNS-rebinding attacks.

The vulnerability exists due to libupnp does not check the value of the Host header. A remote attacker can trick the victim's browser to trigger actions on the local UPnP services implemented using this library and perform data exfiltration or data tampering. Depending on the affected service, more advanced attack vectors can be used that lead to system compromise.

Remediation

Install updates from vendor's website.

External links

https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg

#VU52464 DNS-rebinding in PUPnP - CVE-2021-29462

Description

Remediation

External links

Please verify you're human