ArchLinux: 202105-26: gupnp: information disclosure

Advisories

Arch Linux Security Advisory ASA-202105-26
==========================================

Severity: Medium
Date    : 2021-05-25
CVE-ID  : CVE-2021-33516
Package : gupnp
Type    : information disclosure
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1985

Summary
=======

The package gupnp before version 1.2.6-1 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 1.2.6-1.

# pacman -Syu "gupnp>=1.2.6-1"

The problem has been fixed upstream in version 1.2.6.

Workaround
==========

None.

Description
===========

An issue was discovered in GUPnP before 1.2.5. It allows DNS rebinding.
A remote web server can exploit this vulnerability to trick a victim's
browser into triggering actions against local UPnP services implemented
using this library. Depending on the affected service, this could be
used for data exfiltration, data tampering, etc.

Impact
======

A remote attacker can use DNS rebinding to trick a victim's browser
into triggering actions against local UPnP services.

References
==========

https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536
https://gitlab.gnome.org/GNOME/gupnp/-/issues/24
https://gitlab.gnome.org/GNOME/gupnp/-/merge_requests/13
https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac
https://security.archlinux.org/CVE-2021-33516

ArchLinux: 202105-26: gupnp: information disclosure

May 26, 2021
The package gupnp before version 1.2.6-1 is vulnerable to information disclosure

Summary

An issue was discovered in GUPnP before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tampering, etc.

Resolution

Upgrade to 1.2.6-1.
# pacman -Syu "gupnp>=1.2.6-1"
The problem has been fixed upstream in version 1.2.6.

References

https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536 https://gitlab.gnome.org/GNOME/gupnp/-/issues/24 https://gitlab.gnome.org/GNOME/gupnp/-/merge_requests/13 https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac https://security.archlinux.org/CVE-2021-33516

Severity
CVE-ID : CVE-2021-33516
Package : gupnp
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-1985

Impact

A remote attacker can use DNS rebinding to trick a victim's browser into triggering actions against local UPnP services.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.