CVE-2023-33476

moderate-risk
Published 2023-06-02

ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.

Do I need to act?

-
0.73% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Readymedia Project

References (12)

Exploit https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00027.html
https://security.gentoo.org/glsa/202311-12
Patch https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225a...
Product https://sourceforge.net/projects/minidlna/
https://www.debian.org/security/2023/dsa-5434
Exploit https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00027.html
https://security.gentoo.org/glsa/202311-12
Patch https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225a...
Product https://sourceforge.net/projects/minidlna/
https://www.debian.org/security/2023/dsa-5434
39
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal