{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-24T15:32:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24"}, {"tags": ["x_refsource_MISC"], "url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33516", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24", "refsource": "MISC", "url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24"}, {"name": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536", "refsource": "MISC", "url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.022Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33516", "datePublished": "2021-05-24T14:53:02", "dateReserved": "2021-05-24T00:00:00", "dateUpdated": "2024-08-03T23:50:43.022Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gupnp:*:*:*:*:*:*:*:*", "matchCriteriaId": "A06698C3-7DB7-4EF4-A21B-3DB06871BCBB", "versionEndExcluding": "1.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:gupnp:*:*:*:*:*:*:*:*", "matchCriteriaId": "F329C6E6-3442-4E58-8E0E-D422289CD579", "versionEndExcluding": "1.2.5", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc."}, {"lang": "es", "value": "Se detect\u00f3 un problema en GUPnP versiones anteriores a 1.0.7 y 1.1.x y versiones 1.2.x anteriores a 1.2.5. Permite el reenlace de DNS. Un servidor web remoto puede explotar esta vulnerabilidad para enga\u00f1ar al navegador de la v\u00edctima para desencadenar acciones contra los servicios UPnP locales implementados usando esta biblioteca. Dependiendo del servicio afectado, esto podr\u00eda usarse para exfiltraci\u00f3n de datos, manipulaci\u00f3n de datos, etc"}], "id": "CVE-2021-33516", "lastModified": "2024-11-21T06:09:00.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-24T15:15:07.400", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2417", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "gupnp-0:1.0.2-6.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-06-14T00:00:00Z"}, {"advisory": "RHSA-2021:2363", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gupnp-0:1.0.6-2.el8_4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-06-09T00:00:00Z"}, {"advisory": "RHSA-2021:2459", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "gupnp-0:1.0.3-3.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-06-16T00:00:00Z"}, {"advisory": "RHSA-2021:2422", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "gupnp-0:1.0.3-3.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-06-14T00:00:00Z"}], "bugzilla": {"description": "gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services", "id": "1964091", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964091"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-200", "details": ["An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.", "A flaw was found in gupnp. DNS rebinding can occur when a victim's browser is used by a remote web server to trigger actions against local UPnP services including data exfiltration, data tempering, and other exploits. The highest threat from this vulnerability is to data confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2021-33516", "public_date": "2021-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33516\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33516\nhttps://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536\nhttps://gitlab.gnome.org/GNOME/gupnp/-/commit/05e964d48322ff23a65c6026d656e4494ace6ff9.\nhttps://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac\nhttps://gitlab.gnome.org/GNOME/gupnp/-/issues/24"], "threat_severity": "Important", "upstream_fix": "gupnp 1.0.7, gupnp 1.2.5"}