rpm package
opensuse/minidlna&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/minidlna&distro=openSUSE%20Tumbleweed
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-33476 | — | < 1.3.3-2.1 | 1.3.3-2.1 | Jun 2, 2023 | ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values | ||
| CVE-2022-26505 | — | < 1.3.1-1.1 | 1.3.1-1.1 | Mar 6, 2022 | A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. | ||
| CVE-2020-28926 | — | < 1.3.0-2.7 | 1.3.0-2.7 | Nov 30, 2020 | ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove. | ||
| CVE-2020-12695 | — | < 1.3.0-2.7 | 1.3.0-2.7 | Jun 8, 2020 | The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. |
- CVE-2023-33476Jun 2, 2023affected < 1.3.3-2.1fixed 1.3.3-2.1
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values
- CVE-2022-26505Mar 6, 2022affected < 1.3.1-1.1fixed 1.3.1-1.1
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
- CVE-2020-28926Nov 30, 2020affected < 1.3.0-2.7fixed 1.3.0-2.7
ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.
- CVE-2020-12695Jun 8, 2020affected < 1.3.0-2.7fixed 1.3.0-2.7
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.