CVE-2019-12106 — Use After Free in Minissdpd

CWE-416 — Use After Free5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 29.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Miniupnp Project Minissdpd Debian Minissdpd Miniupnp Project Miniupnpd

Timeline

PublishedMay 15

Latest updateMay 24

Description

The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process due to a Use After Free vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianminiupnp_project/minissdpd< 1.5.20190210-1+3

▶debiandebian/minissdpd< minissdpd 1.5.20190210-1 (bookworm)

▶NVDminiupnp_project/miniupnpd1.4, 1.5+1

Patches

Patch: github.com ↗Patch: www.vdoo.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-cwrg-89hf-2658: The updateDevice function in minissdpd↗2022-05-24

▶

OSV

CVE-2019-12106: The updateDevice function in minissdpd↗2019-05-15

▶

📋Vendor Advisories

Debian

CVE-2019-12106: minissdpd - The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allow...↗2019

▶

💬Community

Bugzilla

CVE-2019-12106 miniupnp: use-after-free in function updateDevice in minissdpd.c↗2019-05-29

▶