CVE-2020-28926 — Classic Buffer Overflow in Project Readymedia

CWE-120 — Classic Buffer Overflow6 documents5 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

66.1%

top 1.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Readymedia Project Readymedia Debian Minidlna Debian Linux

Timeline

PublishedNov 30

Latest updateMay 24

Description

ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/minidlna< minidlna 1.2.1+dfsg-3 (bookworm)

▶NVDreadymedia_project/readymedia< 1.3.0

Also affects: Debian Linux 10.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-gvj3-gg8w-3vrm: ReadyMedia (aka MiniDLNA) before versions 1↗2022-05-24

▶

OSV

minidlna vulnerabilities↗2021-02-04

▶

OSV

CVE-2020-28926: ReadyMedia (aka MiniDLNA) before versions 1↗2020-11-30

▶

📋Vendor Advisories

Ubuntu

ReadyMedia (MiniDLNA) vulnerabilities↗2021-02-04

▶

Debian

CVE-2020-28926: minidlna - ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Se...↗2020

▶