CVE-2021-29462

The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
GitHub_MCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
VendorProductVersion
pupnp_projectpupnp
𝑥
< 1.14.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pupnp
sid
1:1.14.19-2
fixed
trixie
1:1.14.19-2
fixed
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
pupnp-1.8
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libupnp
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
dne
mediatomb
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
needs-triage
trusty
dne
pupnp-1.8
noble
dne
mantic
dne
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/04/20/4
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
http://www.openwall.com/lists/oss-security/2021/04/20/4
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg