DNS rebinding in ReadyMedia (formerly MiniDLNA) - CVE-2022-26505
Published: March 7, 2022
Vulnerability identifier: #VU61051
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-26505
CWE-ID: CWE-350
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ReadyMedia (formerly MiniDLNA)
ReadyMedia (formerly MiniDLNA)
Software vendor:
Jakub Vrána
Jakub Vrána
Description
The vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to the application is prone to DNS rebinding attacks. A remote attacker can trick the victim browser into triggering arbitrary UPnP requests on the local DLNA server and obtain results of such actions, including the ability to read shared files.
Remediation
Install updates from vendor's website.