CVE-2018-14663

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-14663

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14663.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-14663

Related

Published

2018-11-26T23:29:00Z

Modified

2024-09-18T01:00:21Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the 'useClientSubnet' or the experimental 'addXPF' parameters are used when declaring a new backend.

References

Affected packages

Debian:11 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}