CVE-2021-33516

{"id": "CVE-2021-33516", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2021-05-24T15:15:07.400", "references": [{"url": "https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.gnome.org/GNOME/gupnp/-/issues/24", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc."}, {"lang": "es", "value": "Se detect\u00f3 un problema en GUPnP versiones anteriores a 1.0.7 y 1.1.x y versiones 1.2.x anteriores a 1.2.5. Permite el reenlace de DNS. Un servidor web remoto puede explotar esta vulnerabilidad para enga\u00f1ar al navegador de la v\u00edctima para desencadenar acciones contra los servicios UPnP locales implementados usando esta biblioteca. Dependiendo del servicio afectado, esto podr\u00eda usarse para exfiltraci\u00f3n de datos, manipulaci\u00f3n de datos, etc"}], "lastModified": "2021-05-28T15:41:07.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gupnp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06698C3-7DB7-4EF4-A21B-3DB06871BCBB", "versionEndExcluding": "1.0.7"}, {"criteria": "cpe:2.3:a:gnome:gupnp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F329C6E6-3442-4E58-8E0E-D422289CD579", "versionEndExcluding": "1.2.5", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}