Main Vulnerability Database SB2021042149

SB2021042149 - DNS-rebinding attack in PUPnP

Published: April 21, 2021

Security Bulletin ID SB2021042149

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) DNS-rebinding (CVE-ID: CVE-2021-29462)

The vulnerability allows a remote attacker to perform DNS-rebinding attacks.

The vulnerability exists due to libupnp does not check the value of the Host header. A remote attacker can trick the victim's browser to trigger actions on the local UPnP services implemented using this library and perform data exfiltration or data tampering. Depending on the affected service, more advanced attack vectors can be used that lead to system compromise.

Remediation

Install update from vendor's website.

References

https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg