Published: 23/01/2018 Updated: 09/10/2019

CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8

CVSS v3 Base Score: 7.1 | Impact Score: 4.2 | Exploitability Score: 2.8

VMScore: 490

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

Vulnerable Product	Search on Vulmon	Subscribe to Product
powerdns authoritative

An issue has been found in the API component of PowerDNS Authoritative < 405, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the 'api-readonly' keyword This missing check allows an attacker with valid API credentials to flush the cache, trigger a ...

Open source nameserver used by millions needs patching

The Register • Richard Chirgwin • 28 Nov 2017

PowerDNS admins, feel free to fix these DNSSEC bugs before something nasty happens

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today. None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways. That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it'...

CVE-2017-15091

Vulnerability Summary

Vendor Advisories

Recent Articles

References

Vulmon Search

About

Products

Connect