A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Weakness
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Readymedia | Readymedia_project | * | 1.3.1 (excluding) |
| Minidlna | Ubuntu | bionic | * |
| Minidlna | Ubuntu | esm-apps/bionic | * |
| Minidlna | Ubuntu | esm-apps/focal | * |
| Minidlna | Ubuntu | esm-apps/jammy | * |
| Minidlna | Ubuntu | esm-apps/xenial | * |
| Minidlna | Ubuntu | focal | * |
| Minidlna | Ubuntu | jammy | * |
| Minidlna | Ubuntu | kinetic | * |
| Minidlna | Ubuntu | upstream | * |
| Minidlna | Ubuntu | xenial | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/459.html
- https://cwe.mitre.org/data/definitions/461.html
- https://cwe.mitre.org/data/definitions/473.html
- https://cwe.mitre.org/data/definitions/476.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/667.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://www.openwall.com/lists/oss-security/2022/03/06/1
- https://lists.debian.org/debian-lts-announce/2022/04/msg00005.html
- https://security.gentoo.org/glsa/202311-12
- https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
- https://www.openwall.com/lists/oss-security/2022/03/03/1
- http://www.openwall.com/lists/oss-security/2022/03/06/1
- https://lists.debian.org/debian-lts-announce/2022/04/msg00005.html
- https://security.gentoo.org/glsa/202311-12
- https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
- https://www.openwall.com/lists/oss-security/2022/03/03/1