CVE-2023-33476
minidlna - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.73%
Description
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.
How to fix CVE-2023-33476
To remediate CVE-2023-33476, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0+dfsg-2+deb11u2 or later
- —upgrade to 1.2.1+dfsg-2+deb10u4 or later
- —upgrade to 1.3.0+dfsg-2+deb11u2 or later
Is CVE-2023-33476 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.3.0+dfsg-2+deb11u2
- from 0, < 1.2.1+dfsg-2+deb10u4
- from 0, < 1.3.0+dfsg-2+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |