Main Vulnerability Database SB2023112508

SB2023112508 - Gentoo update for MiniDLNA

Published: November 25, 2023

Security Bulletin ID SB2023112508

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) DNS rebinding (CVE-ID: CVE-2022-26505)

The vulnerability allows a remote attacker to perform DNS rebinding attacks.

The vulnerability exists due to the application is prone to DNS rebinding attacks. A remote attacker can trick the victim browser into triggering arbitrary UPnP requests on the local DLNA server and obtain results of such actions, including the ability to read shared files.

2) Out-of-bounds write (CVE-ID: CVE-2023-33476)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when handling HTTP requests using chunked transport encoding. A remote attacker can send a specially crafted HTTP request to the server, trigger an out-of-bounds write and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/glsa/202311-12