CVE-2019-12106

Published: May 15, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process due to a Use After Free vulnerability.

Affected (2)

Products: Miniupnp Project: Miniupnpd

Miniupnp Project

1 product

Miniupnpd

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Miniupnp Project Miniupnpd	Version 1.4
Miniupnp Project Miniupnpd	Version 1.5

Related CWEs

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (6)

https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/05/msg00037.html

Source: cve@mitre.org

https://www.vdoo.com/blog/security-issues-discovered-in-miniupnp

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/05/msg00037.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.vdoo.com/blog/security-issues-discovered-in-miniupnp

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.