DNS rebinding in ReadyMedia (formerly MiniDLNA) - CVE-2022-26505

 

DNS rebinding in ReadyMedia (formerly MiniDLNA) - CVE-2022-26505

Published: March 7, 2022


Vulnerability identifier: #VU61051
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-26505
CWE-ID: CWE-350
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jakub Vrána
Affected software:
ReadyMedia (formerly MiniDLNA)

Detailed vulnerability description

The vulnerability allows a remote attacker to perform DNS  rebinding attacks.

The vulnerability exists due to the application is prone to DNS rebinding attacks. A remote attacker can trick the victim browser into triggering arbitrary UPnP requests on the local DLNA server and obtain results of such actions, including the ability to read shared files.


How to mitigate CVE-2022-26505

Install updates from vendor's website.

Sources