CVE-2020-12695

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

How to fix CVE-2020-12695

To remediate CVE-2020-12695, upgrade the affected package to a fixed version below.

• Alpine/hostapd—upgrade to 2.8-r3 or later
• —upgrade to 1.0.1-1+deb9u1 or later
• —upgrade to 1.2.3-1 or later
• —upgrade to 1.2.1+dfsg-3 or later
• —upgrade to 1.1.6+dfsg-1+deb9u1 or later
• —upgrade to 1.2.1+dfsg-2+deb10u1 or later
• —no fix listed
• —upgrade to 2:2.7+git20190128+0c1e29f-6+deb10u3 or later
• —upgrade to 2:2.9.0-16 or later

Is CVE-2020-12695 being exploited?

Low — EPSS is 4.0%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

• from 0, < 2.8-r3
• from 0, < 1.0.1-1+deb9u1
• from 0, < 1.2.3-1
• from 0, < 1.2.1+dfsg-3
• from 0, < 1.1.6+dfsg-1+deb9u1
• from 0, < 1.2.1+dfsg-2+deb10u1
• from 0
• from 0, < 2:2.7+git20190128+0c1e29f-6+deb10u3
• from 0, < 2:2.9.0-16

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-12695
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-12695