CVE-2024-51442

CVE-2024-51442 is a command injection vulnerability (CWE-77) affecting MiniDLNA versions 1.3.3 and earlier. It enables an attacker to execute arbitrary operating system commands by supplying a specially crafted minidlna.conf configuration file. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it necessitates user interaction, such as tricking an administrator or user into loading the malicious configuration file. Successful exploitation grants arbitrary command execution on the host system running the vulnerable MiniDLNA instance, potentially leading to full remote code execution, data theft, modification, or denial of service.

Mitigation details and patches are referenced in advisories including the GitHub repository at https://github.com/mselbrede/CVE-2024-51442, the MiniDLNA bug tracker at https://sourceforge.net/p/minidlna/bugs/364/, the source code at https://sourceforge.net/p/minidlna/git/ci/master/tree/minidlna.c, and the project page at https://sourceforge.net/projects/minidlna/. Security practitioners should review these for updates, configuration hardening, or alternative implementations.