PT-2018-5758 · Powerdns+1 · Powerdns Authoritative+2

Everyman

Published

2018-01-23

Updated

2024-06-15

CVE-2017-15091

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions: PowerDNS Authoritative versions 3.x up to and including 3.4.11 PowerDNS Authoritative versions 4.x up to and including 4.0.4

Description: The issue concerns the API component, where certain operations that impact the server state are permitted despite the API being configured as read-only. This allows an attacker with valid API credentials to perform actions such as flushing the cache, triggering a zone transfer, or sending a NOTIFY.

Recommendations: For PowerDNS Authoritative versions 3.x up to and including 3.4.11, update to a version that includes the fix for this issue. For PowerDNS Authoritative versions 4.x up to and including 4.0.4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the API or limiting the privileges of API credentials to minimize the risk of exploitation.

Fix

Incorrect Authorization

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-358

Related Identifiers

ALT-PU-2020-1325

ALT-PU-2020-1407

CVE-2017-15091

OPENSUSE-SU-2024:11156-1

Affected Products

Alt Linux

Powerdns Authoritative

Powerdns Authoritative Server

PT-2018-5758 · Powerdns+1 · Powerdns Authoritative+2

CVE-2017-15091

Weakness Enumeration

Related Identifiers

Affected Products

References · 42