CVE-2023-29483 — HIGH (7.0)

Q: How severe is CVE-2023-29483?

CVE-2023-29483 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-29483?

Check the references section above for vendor advisories and patch information. Affected products include: Eventlet Eventlet, Dnspython Dnspython, Fedoraproject Fedora, Netapp Bootstrap Os, Netapp Hci Compute Node.

Vulnerability Description

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

CVSS Score

7.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Eventlet	Eventlet	< 0.35.2
Dnspython	Dnspython	< 2.6.0
Fedoraproject	Fedora	38
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-

Related Weaknesses (CWE)

CWE-292

References

https://github.com/eventlet/eventlet/issues/913ExploitIssue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2Release Notes
https://github.com/rthalley/dnspython/issues/1045ExploitIssue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://security.netapp.com/advisory/ntap-20240510-0001/Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713Third Party Advisory
https://www.dnspython.org/Product
https://github.com/eventlet/eventlet/issues/913ExploitIssue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2Release Notes
https://github.com/rthalley/dnspython/issues/1045ExploitIssue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List

FAQ

What is CVE-2023-29483?

CVE-2023-29483 is a vulnerability with a CVSS score of 7.0 (HIGH). eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source po...

How severe is CVE-2023-29483?

CVE-2023-29483 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-29483?

Check the references section above for vendor advisories and patch information. Affected products include: Eventlet Eventlet, Dnspython Dnspython, Fedoraproject Fedora, Netapp Bootstrap Os, Netapp Hci Compute Node.