CVE-2020-12695

Name
CVE-2020-12695
Description
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://www.callstranger.com
Third Party Advisory https://www.kb.cert.org/vuls/id/339275
Mailing List http://www.openwall.com/lists/oss-security/2020/06/08/2
Third Party Advisory https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
Third Party Advisory https://github.com/yunuscadirci/CallStranger
Third Party Advisory http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.html
MISC https://github.com/corelight/callstranger-detector
MISC https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/
MLIST https://lists.debian.org/debian-lts-announce/2020/08/msg00011.html
MLIST https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
UBUNTU https://usn.ubuntu.com/4494-1/
DEBIAN https://www.debian.org/security/2020/dsa-4806
MLIST https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html
DEBIAN https://www.debian.org/security/2021/dsa-4898
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ui:unifi_controller:-:*:*:*:*:*:*:* unifi_controller == None == -

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
minidlna 3.13-community 1.2.1-r2 Francesco Colista <francesco.colista@gmail.com> fixed
hostapd 3.10-main 2.8-r3 Natanael Copa <ncopa@alpinelinux.org> fixed