var-202010-0408
Vulnerability from variot
An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. PowerDNS Authoritative Server Contains an information disclosure vulnerability.Information may be obtained. PowerDNS Authoritative Server is a DNS server of Dutch PowerDNS company.
Background
The PowerDNS nameserver is an authoritative-only nameserver which uses a flexible backend architecture.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/pdns < 4.3.1 >= 4.3.1
Description
It was discovered that PowerDNS did not properly handle certain unknown records. Crafted records cannot be inserted via AXFR.
Workaround
Do not take zone data from untrusted users.
Resolution
All PowerDNS users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/pdns-4.3.1"
References
[ 1 ] CVE-2020-17482 https://nvd.nist.gov/vuln/detail/CVE-2020-17482 [ 2 ] PowerDNS Security Advisory 2020-05
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202012-18
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202010-0408",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "authoritative",
"scope": "lt",
"trust": 1.0,
"vendor": "powerdns",
"version": "4.3.1"
},
{
"model": "authoritative server",
"scope": "eq",
"trust": 0.8,
"vendor": "powerdns",
"version": null
},
{
"model": "authoritative server",
"scope": "lt",
"trust": 0.8,
"vendor": "powerdns",
"version": "4.3.1 less than"
},
{
"model": "authoritative server",
"scope": "lt",
"trust": 0.6,
"vendor": "powerdns",
"version": "4.3.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "160711"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
}
],
"trust": 0.7
},
"cve": "CVE-2020-17482",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2020-17482",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2020-57064",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2020-17482",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2020-17482",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-17482",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2020-17482",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2020-57064",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202009-1634",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. PowerDNS Authoritative Server Contains an information disclosure vulnerability.Information may be obtained. PowerDNS Authoritative Server is a DNS server of Dutch PowerDNS company. \n\nBackground\n==========\n\nThe PowerDNS nameserver is an authoritative-only nameserver which uses\na flexible backend architecture. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-dns/pdns \u003c 4.3.1 \u003e= 4.3.1\n\nDescription\n===========\n\nIt was discovered that PowerDNS did not properly handle certain unknown\nrecords. \nCrafted records cannot be inserted via AXFR. \n\nWorkaround\n==========\n\nDo not take zone data from untrusted users. \n\nResolution\n==========\n\nAll PowerDNS users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-dns/pdns-4.3.1\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-17482\n https://nvd.nist.gov/vuln/detail/CVE-2020-17482\n[ 2 ] PowerDNS Security Advisory 2020-05\n \nhttps://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202012-18\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2020 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-17482"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "PACKETSTORM",
"id": "160711"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-17482",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "160711",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-57064",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50576",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "PACKETSTORM",
"id": "160711"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"id": "VAR-202010-0408",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
}
]
},
"last_update_date": "2024-11-23T22:29:27.861000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Leaking\u00a0uninitialised\u00a0memory\u00a0through\u00a0crafted\u00a0zone\u00a0records",
"trust": 0.8,
"url": "https://github.com/PowerDNS/pdns"
},
{
"title": "Patch for PowerDNS Authoritative Server information disclosure vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/236497"
},
{
"title": "PowerDNS Authoritative Server Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=131086"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-908",
"trust": 1.0
},
{
"problemtype": "information leak (CWE-200) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-17482"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202012-18"
},
{
"trust": 1.6,
"url": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
},
{
"trust": 1.6,
"url": "https://github.com/powerdns/pdns"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/powerdns-information-disclosure-via-zone-records-33428"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50576"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/160711/gentoo-linux-security-advisory-202012-18.html"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "PACKETSTORM",
"id": "160711"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"db": "PACKETSTORM",
"id": "160711"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-10-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"date": "2021-04-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"date": "2020-12-24T17:18:18",
"db": "PACKETSTORM",
"id": "160711"
},
{
"date": "2020-09-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"date": "2020-10-02T09:15:13.570000",
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-10-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"date": "2021-04-23T08:59:00",
"db": "JVNDB",
"id": "JVNDB-2020-012088"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202009-1634"
},
{
"date": "2024-11-21T05:08:12.210000",
"db": "NVD",
"id": "CVE-2020-17482"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "160711"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "PowerDNS Authoritative Server information disclosure vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-57064"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202009-1634"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.