CVE-2022-26505
published 2022-03-06CVE-2022-26505: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
PriorityP340high7.4CVSS 3.1
AVNACLPRNUIRSCCHINAN
EPSS
1.57%
72.2th percentile
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | minidlna | < minidlna 1.3.0+dfsg-2.2 (bookworm) | minidlna 1.3.0+dfsg-2.2 (bookworm) |
| readymedia_project | readymedia | < 1.3.1 | 1.3.1 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.4HIGH
vendor_debian7.4HIGH
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ReadyMedia vulnerabilities
vendor_ubuntu·2023-09-27·CVSS 7.4
CVE-2022-26505 [HIGH] ReadyMedia vulnerabilities
Title: ReadyMedia vulnerabilities
Summary: Several security issues were fixed in ReadyMedia.
It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks.
A remote attacker could possibly use this issue to trick the local DLNA
server to leak information. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-26505)
It was discovered that ReadyMedia incorrectly handled certain HTTP requests
using chunked transport encoding. A remote attacker could possibly use this
issue to cause buffer overflows, resulting in out-of-bounds reads and writes.
(CVE-2023-33476)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-26505: minidlna - A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a re...
vendor_debian·2022·CVSS 7.4
CVE-2022-26505 [HIGH] CVE-2022-26505: minidlna - A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a re...
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Scope: local
bookworm: resolved (fixed in 1.3.0+dfsg-2.2)
bullseye: resolved (fixed in 1.3.0+dfsg-2+deb11u1)
forky: resolved (fixed in 1.3.0+dfsg-2.2)
sid: resolved (fixed in 1.3.0+dfsg-2.2)
trixie: resolved (fixed in 1.3.0+dfsg-2.2)
OSV
minidlna vulnerabilities
osv·2023-09-27·CVSS 7.4
CVE-2022-26505 [HIGH] minidlna vulnerabilities
minidlna vulnerabilities
It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks.
A remote attacker could possibly use this issue to trick the local DLNA
server to leak information. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-26505)
It was discovered that ReadyMedia incorrectly handled certain HTTP requests
using chunked transport encoding. A remote attacker could possibly use this
issue to cause buffer overflows, resulting in out-of-bounds reads and writes.
(CVE-2023-33476)
GHSA
GHSA-xw94-4rmp-7qw5: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1
ghsa_unreviewed·2022-03-07
CVE-2022-26505 [HIGH] CWE-290 GHSA-xw94-4rmp-7qw5: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
OSV
CVE-2022-26505: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1
osv·2022-03-06·CVSS 7.4
CVE-2022-26505 [HIGH] CVE-2022-26505: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/03/06/1https://lists.debian.org/debian-lts-announce/2022/04/msg00005.htmlhttps://security.gentoo.org/glsa/202311-12https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/https://www.openwall.com/lists/oss-security/2022/03/03/1http://www.openwall.com/lists/oss-security/2022/03/06/1https://lists.debian.org/debian-lts-announce/2022/04/msg00005.htmlhttps://security.gentoo.org/glsa/202311-12https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/https://www.openwall.com/lists/oss-security/2022/03/03/1
2022-03-06
Published