{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"gupnp security update", "category":"general", "title":"Synopsis" }, { "text":"An update for gupnp is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most of UPnP's internals.\n\nSecurity Fix(es):\n\nThe Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.(CVE-2020-12695)", "category":"general", "title":"Description" }, { "text":"An update for gupnp is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"gupnp", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-1768", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1768" }, { "summary":"CVE-2020-12695", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2020-12695&packageName=gupnp" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12695" }, { "summary":"openEuler-SA-2022-1768 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-1768.json" } ], "title":"An update for gupnp is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2022-07-22T09:42:24+08:00", "revision_history":[ { "date":"2022-07-22T09:42:24+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:42:24+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:42:24+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:42:24+08:00", "id":"openEuler-SA-2022-1768", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-devel-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"gupnp-devel-1.2.4-1.oe1.aarch64.rpm" }, "name":"gupnp-devel-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm" }, "name":"gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"gupnp-1.2.4-1.oe1.aarch64.rpm" }, "name":"gupnp-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm" }, "name":"gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-help-1.2.4-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"gupnp-help-1.2.4-1.oe1.noarch.rpm" }, "name":"gupnp-help-1.2.4-1.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-1.2.4-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"gupnp-1.2.4-1.oe1.src.rpm" }, "name":"gupnp-1.2.4-1.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm" }, "name":"gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"gupnp-1.2.4-1.oe1.x86_64.rpm" }, "name":"gupnp-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-devel-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"gupnp-devel-1.2.4-1.oe1.x86_64.rpm" }, "name":"gupnp-devel-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm" }, "name":"gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-devel-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.aarch64", "name":"gupnp-devel-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.aarch64", "name":"gupnp-debugsource-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.aarch64", "name":"gupnp-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.aarch64", "name":"gupnp-debuginfo-1.2.4-1.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-help-1.2.4-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-help-1.2.4-1.oe1.noarch", "name":"gupnp-help-1.2.4-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-1.2.4-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.src", "name":"gupnp-1.2.4-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.x86_64", "name":"gupnp-debuginfo-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.x86_64", "name":"gupnp-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-devel-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.x86_64", "name":"gupnp-devel-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.x86_64", "name":"gupnp-debugsource-1.2.4-1.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2020-12695", "notes":[ { "text":"The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-help-1.2.4-1.oe1.noarch", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-help-1.2.4-1.oe1.noarch", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.x86_64" ], "details":"gupnp security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1768" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.aarch64", "openEuler-20.03-LTS-SP1:gupnp-help-1.2.4-1.oe1.noarch", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.src", "openEuler-20.03-LTS-SP1:gupnp-debuginfo-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-devel-1.2.4-1.oe1.x86_64", "openEuler-20.03-LTS-SP1:gupnp-debugsource-1.2.4-1.oe1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2020-12695" } ] }