Everyman

Name of the Vulnerable Software and Affected Versions: PowerDNS Authoritative versions 3.x up to and including 3.4.11 PowerDNS Authoritative versions 4.x up to and including 4.0.4 Description: The issue concerns the API component, where certain operations that impact the server state are permitted despite the API being configured as read-only. This allows an attacker with valid API credentials to perform actions such as flushing the cache, triggering a zone transfer, or sending a NOTIFY. Recommendations: For PowerDNS Authoritative versions 3.x up to and including 3.4.11, update to a version that includes the fix for this issue. For PowerDNS Authoritative versions 4.x up to and including 4.0.4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the API or limiting the privileges of API credentials to minimize the risk of exploitation.