Vulnerability Description
When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Powerdns | Recursor | >= 3.0, <= 3.7.4 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101982Third Party AdvisoryVDB Entry
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.MitigationPatchVendor Advisory
- http://www.securityfocus.com/bid/101982Third Party AdvisoryVDB Entry
- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.MitigationPatchVendor Advisory
FAQ
What is CVE-2017-15093?
CVE-2017-15093 is a vulnerability with a CVSS score of 5.3 (MEDIUM). When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized use...
How severe is CVE-2017-15093?
CVE-2017-15093 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15093?
Check the references section above for vendor advisories and patch information. Affected products include: Powerdns Recursor.