Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2019-3871

Published: 21/03/2019 Updated: 07/11/2023
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Authoritative Server

Vulnerability Summary

A vulnerability was found in PowerDNS Authoritative Server prior to 4.0.7 and prior to 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

powerdns authoritative server

fedoraproject fedora 28

fedoraproject fedora 29

Vendor Advisories

Debian CVElist Bug Report Logs: pdns: CVE-2019-3871: Insufficient validation in the HTTP remote backend
Debian Bug report logs - #924966 pdns: CVE-2019-3871: Insufficient validation in the HTTP remote backend Package: src:pdns; Maintainer for src:pdns is pdns packagers <pdns@packagesdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 19 Mar 2019 09:36:02 UTC Severity: grave Tags: fixed-upstre ...
Debian Security Advisories: DSA-4424-1 pdns -- security update
Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOnecom discovered that pdns, an authoritative DNS server, did not properly validate user-supplied data when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend This would allow a remote user to cause either a denial-of-service, or information disclosure ...
Arch Linux Issues:
An issue has been found in PowerDNS Authoritative Server before 417, when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query This can be used to cause a denial of service by preventin ...

Mailing Lists

Full Disclosure: PowerDNS Security Advisory 2019-03
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> PowerDNS Security Advisory 2019-03 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Erik Winkels &lt;erikwinkels ...

References

CWE-20https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3871http://www.securityfocus.com/bid/107491http://www.openwall.com/lists/oss-security/2019/03/18/4https://lists.debian.org/debian-lts-announce/2019/03/msg00039.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00022.htmlhttps://www.debian.org/security/2019/dsa-4424https://seclists.org/bugtraq/2019/Apr/8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924966https://nvd.nist.govhttps://www.debian.org/security/2019/dsa-4424
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook