CVE-2021-29462: 
Linux Debian vulnerability analysis and mitigation

The Portable SDK for UPnP Devices (pupnp/libupnp) was found to be vulnerable to DNS rebinding attacks in versions prior to 1.14.6. The vulnerability, identified as CVE-2021-29462, was discovered and disclosed on April 20, 2021. The core issue stems from the server component's failure to validate the 'Host' header, potentially exposing UPnP device and control point applications to remote attacks (GitHub Advisory, NVD).

The vulnerability received a CVSS v3.1 Base Score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. GitHub assigned a slightly lower score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) by NIST (NVD).

A remote web server can exploit this vulnerability to manipulate the user's browser into triggering unauthorized actions on local UPnP services implemented using this library. The impact includes potential data exfiltration, data tampering, and unauthorized access to resources exposed through the embedded web server. For UPnP AV MediaServer implementations, attackers could potentially exfiltrate media files and, if enabled, delete or upload files (GitHub Advisory).

The vulnerability was patched in version 1.14.6 of the Portable SDK for UPnP Devices. As a workaround, users can mitigate the risk by utilizing DNS resolvers that block DNS-rebinding attacks (GitHub Advisory, Openwall).