CVE-2017-15091

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-15091
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15091.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-15091
Related
Published
2018-01-23T15:29:00Z
Modified
2024-10-12T02:35:56.938506Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
[none]
Details

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

References

Affected packages

Debian:11 / pdns

Package

Name
pdns
Purl
pkg:deb/debian/pdns?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / pdns

Package

Name
pdns
Purl
pkg:deb/debian/pdns?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / pdns

Package

Name
pdns
Purl
pkg:deb/debian/pdns?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/powerdns/pdns

Affected ranges

Affected versions

auth-3.*

auth-3.1-rc1
auth-3.1-rc2
auth-3.1-rc3
auth-3.2-rc1
auth-3.2-rc2
auth-3.2-rc3
auth-3.2-rc4
auth-3.3
auth-3.3-rc1
auth-3.3-rc2
auth-3.4.0
auth-3.4.0-rc1
auth-3.4.0-rc2
auth-3.4.1
auth-3.4.10
auth-3.4.11
auth-3.4.2
auth-3.4.3
auth-3.4.4
auth-3.4.5
auth-3.4.6
auth-3.4.7
auth-3.4.8
auth-3.4.9

auth-4.*

auth-4.0.0
auth-4.0.0-alpha1
auth-4.0.0-alpha2
auth-4.0.0-alpha3
auth-4.0.0-beta1
auth-4.0.0-rc1
auth-4.0.0-rc2
auth-4.0.1

dnsdist-1.*

dnsdist-1.0.0
dnsdist-1.0.0-alpha1
dnsdist-1.0.0-alpha2
dnsdist-1.0.0-beta1
dnsdist-1.1.0-beta1

Other

rec-3-0
rec-3-0-1

rec-3.*

rec-3.0
rec-3.0.1
rec-3.1.4
rec-3.3.1
rec-3.5
rec-3.5-rc1
rec-3.5-rc3
rec-3.5-rc4
rec-3.5-rc5
rec-3.6.0
rec-3.6.0-rc1
rec-3.7.0
rec-3.7.0-rc1
rec-3.7.0-rc2

rec-4.*

rec-4.0.0
rec-4.0.0-alpha1
rec-4.0.0-alpha2
rec-4.0.0-alpha3
rec-4.0.0-beta1
rec-4.0.0-rc1
rec-4.0.1
rec-4.0.2
rec-4.0.3
rec-4.0.4