CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.6%
Severity: High
Date : 2021-04-29
CVE-ID : CVE-2021-29462
Package : libupnp
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-1844
The package libupnp before version 1.14.6-1 is vulnerable to content
spoofing.
Upgrade to 1.14.6-1.
The problem has been fixed upstream in version 1.14.6.
None.
The server part of pupnp (libupnp) appears to be vulnerable to DNS
rebinding attacks because it does not check the value of the Host
header. This can be mitigated by using DNS revolvers which block DNS-
rebinding attacks. The vulnerability is fixed in version 1.14.6 and
later.
An attacker is able to perform a DNS rebinding attack against a client
browser to trigger local UPnP services. This can be used to, for
example, exfiltrate or tamper data of a client.
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
https://github.com/pupnp/pupnp/commit/21fd85815da7ed2578d0de7cac4c433008f0ecd4
https://security.archlinux.org/CVE-2021-29462
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.6%