CVE-2021-33516
HIGHGUPnP < 1.0.7, 1.1.x, < 1.2.5 - DNS Rebinding via UPnP Service
Title source: llmDescription
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gupnp/-/issues/24
Patch, Vendor Advisory x_refsource_misc
https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536
Scores
CVSS v3
8.1
EPSS
0.0024
EPSS Percentile
47.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
Status
published
Products (1)
gnome/gupnp
< 1.0.7
Published
May 24, 2021
Tracked Since
Feb 18, 2026