CVE-2024-51442
Published: 08 January 2025
Summary
CVE-2024-51442 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-51442 is a command injection vulnerability present in MiniDLNA versions 1.3.3 and earlier. The issue, tracked as CWE-77, occurs during processing of the minidlna.conf configuration file and permits arbitrary operating system command execution when a malicious file is supplied.
An unauthenticated attacker can leverage the flaw over a network by delivering a specially crafted configuration file that the application then loads, resulting in full compromise of confidentiality, integrity, and availability consistent with the CVSS 8.8 rating that requires user interaction to trigger.
Public references point to a GitHub repository containing exploit details, a SourceForge bug report, and the project's source repository, but contain no explicit statements on patches or mitigation steps. The associated EPSS score of 0.3905 shows no material rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45777
Vulnerability details
Command Injection in Minidlna version v1.3.3 and before allows an attacker to execute arbitrary OS commands via a specially crafted minidlna.conf configuration file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via malicious config file directly enables Unix shell command execution (T1059.004) after user loads the file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-51442 by identifying, reporting, and applying patches to remediate the command injection flaw in MiniDLNA as referenced in advisories.
Prevents command injection by enforcing input validation mechanisms at the configuration file parsing points in MiniDLNA.
Establishes and enforces secure baseline configuration settings for MiniDLNA to avoid deployment of vulnerable or malicious minidlna.conf files.