CVE-2020-14312

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-14312
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-14312.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-14312
Related
Published
2021-02-06T00:15:12Z
Modified
2024-09-11T02:00:05Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option local-service is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.

References

Affected packages

Debian:11 / dnsmasq

Package

Name
dnsmasq
Purl
pkg:deb/debian/dnsmasq?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.69-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dnsmasq

Package

Name
dnsmasq
Purl
pkg:deb/debian/dnsmasq?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.69-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dnsmasq

Package

Name
dnsmasq
Purl
pkg:deb/debian/dnsmasq?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.69-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}