CVE-2017-15093

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-15093
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15093.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-15093
Related
Published
2018-01-23T15:29:00Z
Modified
2024-10-12T02:36:00.166117Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.

References

Affected packages

Debian:11 / pdns-recursor

Package

Name
pdns-recursor
Purl
pkg:deb/debian/pdns-recursor?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / pdns-recursor

Package

Name
pdns-recursor
Purl
pkg:deb/debian/pdns-recursor?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / pdns-recursor

Package

Name
pdns-recursor
Purl
pkg:deb/debian/pdns-recursor?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/powerdns/pdns

Affected ranges

Affected versions

auth-3.*

auth-3.1-rc1
auth-3.1-rc2
auth-3.1-rc3
auth-3.2-rc1
auth-3.2-rc2
auth-3.2-rc3
auth-3.2-rc4
auth-3.3
auth-3.3-rc1
auth-3.3-rc2
auth-3.4.0
auth-3.4.0-rc1
auth-3.4.0-rc2

auth-4.*

auth-4.0.0
auth-4.0.0-alpha1
auth-4.0.0-alpha2
auth-4.0.0-alpha3
auth-4.0.0-beta1
auth-4.0.0-rc1
auth-4.0.0-rc2
auth-4.0.1

dnsdist-1.*

dnsdist-1.0.0
dnsdist-1.0.0-alpha1
dnsdist-1.0.0-alpha2
dnsdist-1.0.0-beta1
dnsdist-1.1.0-beta1

Other

rec-3-0
rec-3-0-1

rec-3.*

rec-3.0
rec-3.0.1
rec-3.1.4
rec-3.3.1
rec-3.5
rec-3.5-rc1
rec-3.5-rc3
rec-3.5-rc4
rec-3.5-rc5
rec-3.6.0
rec-3.6.0-rc1
rec-3.7.0
rec-3.7.0-rc1
rec-3.7.0-rc2
rec-3.7.1
rec-3.7.2
rec-3.7.3
rec-3.7.4

rec-4.*

rec-4.0.0
rec-4.0.0-alpha1
rec-4.0.0-alpha2
rec-4.0.0-alpha3
rec-4.0.0-beta1
rec-4.0.0-rc1
rec-4.0.1
rec-4.0.2
rec-4.0.3
rec-4.0.4
rec-4.0.5
rec-4.0.5-rc1
rec-4.0.5-rc2
rec-4.0.6