CVE-2023-52152

Vulnerability

The vulnerability exists in mupnp/net/uri.c of mUPnP for C up to version 3.0.2. The function mupnp_net_uri_setvalue lacks a recalculation of the host length after extracting the host string, leading to an out-of-bounds read. Additionally, improper handling of empty strings in the tokenizer can result in negative sizes being passed to memcpy, causing crashes. The issue is reachable when the library processes HTTP requests, including SOAP server operations. [1]

Exploitation

An attacker can trigger the vulnerability by sending a specially crafted HTTP request to a service using the mUPnP library. No authentication is required; the request is processed by the HTTP server, which calls the vulnerable URI parsing code without proper validation. The crash can be induced remotely. [1]

Impact

Successful exploitation results in an out-of-bounds read, leading to an application crash (denial of service). The crash may also expose sensitive memory contents. There is no indication of remote code execution. [1]

Mitigation

As of the publication date, no official fixed version has been released. A patch is available in the GitHub issue [1]; users should apply it to the source code. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]