CVE-2017-15091

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-15091

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15091.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-15091

Related

Published

2018-01-23T15:29:00Z

Modified

2024-09-11T04:13:03.696752Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Summary

[none]

Details

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

References

Affected packages

Debian:11 / pdns

Package

Name: pdns
Purl: pkg:deb/debian/pdns?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / pdns

Package

Name: pdns
Purl: pkg:deb/debian/pdns?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / pdns

Package

Name: pdns
Purl: pkg:deb/debian/pdns?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/powerdns/pdns

Affected ranges

Type: GIT
Repo: https://github.com/powerdns/pdns
Events: Introduced

8af92496cde4e280f80dc5cf94269a001509c9ee

Last affected

06ede1f2c905091585c1adfc4eb9208e256fcb3b

Introduced

ba64cecd417688dc39c75e92f1a23b91f7f46d64

Last affected

9388f1be79e49a1def301dad55512d50637b4982

Affected versions

auth-3.*

auth-3.1-rc1

auth-3.1-rc2

auth-3.1-rc3

auth-3.2-rc1

auth-3.2-rc2

auth-3.2-rc3

auth-3.2-rc4

auth-3.3

auth-3.3-rc1

auth-3.3-rc2

auth-3.4.0

auth-3.4.0-rc1

auth-3.4.0-rc2

auth-3.4.1

auth-3.4.10

auth-3.4.11

auth-3.4.2

auth-3.4.3

auth-3.4.4

auth-3.4.5

auth-3.4.6

auth-3.4.7

auth-3.4.8

auth-3.4.9

auth-4.*

auth-4.0.0

auth-4.0.0-alpha1

auth-4.0.0-alpha2

auth-4.0.0-alpha3

auth-4.0.0-beta1

auth-4.0.0-rc1

auth-4.0.0-rc2

auth-4.0.1

dnsdist-1.*

dnsdist-1.0.0

dnsdist-1.0.0-alpha1

dnsdist-1.0.0-alpha2

dnsdist-1.0.0-beta1

dnsdist-1.1.0-beta1

Other

rec-3-0

rec-3-0-1

rec-3.*

rec-3.0

rec-3.0.1

rec-3.1.4

rec-3.3.1

rec-3.5

rec-3.5-rc1

rec-3.5-rc3

rec-3.5-rc4

rec-3.5-rc5

rec-3.6.0

rec-3.6.0-rc1

rec-3.7.0

rec-3.7.0-rc1

rec-3.7.0-rc2

rec-4.*

rec-4.0.0

rec-4.0.0-alpha1

rec-4.0.0-alpha2

rec-4.0.0-alpha3

rec-4.0.0-beta1

rec-4.0.0-rc1

rec-4.0.1

rec-4.0.2

rec-4.0.3

rec-4.0.4