CVE-2021-29462
high
CVSS v3
—
CVSS v2
—
VIR risk
8.0
Description
The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-29462
Vendor advisory: arch — https://security.archlinux.org/ASA-202104-8
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 1.14.6-1 | |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | trixie | fixed | 0 |
References
Verify integrity in audit chain (admin only). AS-IS.