CVE-2017-15093

CVE-2017-15093

Vendor Powerdns
Product PowerDNS Recursor
Weakness CWE-20 · Input validation
Published January 23, 2018
Last update September 17, 2024

CVSS base score

What the vulnerability does

01Description

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.

Key dates

02Disclosure timeline

January 23, 2018 CVE published
September 17, 2024 Record updated