VuXML ID | Description |
6001cfc6-9f0f-4fae-9b4f-9b8fae001425 | PowerDNS -- Insufficient validation in the HTTP remote backend
PowerDNS developers report:
An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.
Discovery 2019-03-18 Entry 2019-03-19 powerdns
< 4.1.7
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
CVE-2019-3871
|
61d89849-43cb-11eb-aba5-00a09858faf5 | powerdns -- Various issues in GSS-TSIG support
PowerDNS developers report:
A remote, unauthenticated attacker can trigger a race condition
leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker can cause a denial of service by
sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker might be able to cause a double-free,
leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.
Discovery 2020-08-27 Entry 2020-12-21 powerdns
< 4.4.0
CVE-2020-24696
CVE-2020-24697
CVE-2020-24698
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html
|
0aee2f13-ec1d-11e8-8c92-6805ca2fa271 | powerdns -- Multiple vulnerabilities
PowerDNS Team reports:
CVE-2018-10851: An issue has been found in PowerDNS Authoritative Server allowing
an authorized user to cause a memory leak by inserting a specially crafted record
in a zone under their control, then sending a DNS query for that record. The issue
is due to the fact that some memory is allocated before the parsing and is not
always properly released if the record is malformed. When the PowerDNS
Authoritative Server is run inside the guardian (--guardian), or inside a
supervisor like supervisord or systemd, an out-of-memory crash will lead to an
automatic restart, limiting the impact to a somewhat degraded service.
CVE-2018-14626: An issue has been found in PowerDNS Authoritative Server allowing
a remote user to craft a DNS query that will cause an answer without DNSSEC
records to be inserted into the packet cache and be returned to clients asking for
DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname
and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients
will consider the answer to be bogus until it expires from the packet cache,
leading to a denial of service.
Discovery 2018-11-06 Entry 2018-11-19 powerdns
< 4.1.5
https://doc.powerdns.com/authoritative/changelog/4.1.html
CVE-2018-10851
CVE-2018-14626
|
1c21f6a3-9415-11e9-95ec-6805ca2fa271 | powerdns -- multiple vulnerabilities
PowerDNS Team reports:
CVE-2019-10162: An issue has been found in PowerDNS Authoritative Server allowing an authorized user to
cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The
issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while
looking up the NS/A/AAAA records it is about to use for an outgoing notify.
CVE-2019-10163: An issue has been found in PowerDNS Authoritative Server allowing a remote, authorized
master server to cause a high CPU load or even prevent any further updates to any slave zone by sending
a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.
Discovery 2019-06-21 Entry 2019-06-21 powerdns
< 4.1.10
https://doc.powerdns.com/authoritative/changelog/4.1.html#change-4.1.10
CVE-2019-10162
CVE-2019-10163
|