CVE-2018-5738

Source
https://cve.org/CVERecord?id=CVE-2018-5738
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-5738.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-5738
Downstream
Related
Published
2019-01-16T20:29:00.907Z
Modified
2026-07-08T05:52:32.433205464Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"
            ],
            "vendor_product": "canonical:ubuntu_linux",
            "extracted_events": [
                {
                    "introduced": "18.04"
                },
                {
                    "last_affected": "18.04"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "cpes": [
                "cpe:2.3:a:isc:bind:9.11.3:s2:*:*:*:*:*:*"
            ],
            "vendor_product": "isc:bind",
            "extracted_events": [
                {
                    "introduced": "9.11.3-s2"
                },
                {
                    "last_affected": "9.11.3-s2"
                },
                {
                    "introduced": "9.11.3-s2"
                },
                {
                    "last_affected": "9.11.3-s2"
                }
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/isc-projects/bind9

Affected ranges

Type
GIT
Repo
https://github.com/isc-projects/bind9
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:isc:bind:9.9.12:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.9.12:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.10.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.10.7:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.11.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.11.3:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:a1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:b1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:b2:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:rc3:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:p1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:p2:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.13.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "9.9.12"
        },
        {
            "last_affected": "9.9.12"
        },
        {
            "introduced": "9.9.12-s1"
        },
        {
            "last_affected": "9.9.12-s1"
        },
        {
            "introduced": "9.10.7"
        },
        {
            "last_affected": "9.10.7"
        },
        {
            "introduced": "9.10.7-s1"
        },
        {
            "last_affected": "9.10.7-s1"
        },
        {
            "introduced": "9.11.3"
        },
        {
            "last_affected": "9.11.3"
        },
        {
            "introduced": "9.11.3-s1"
        },
        {
            "last_affected": "9.11.3-s1"
        },
        {
            "introduced": "9.12.0"
        },
        {
            "last_affected": "9.12.0"
        },
        {
            "introduced": "9.12.0-a1"
        },
        {
            "last_affected": "9.12.0-a1"
        },
        {
            "introduced": "9.12.0-b1"
        },
        {
            "last_affected": "9.12.0-b1"
        },
        {
            "introduced": "9.12.0-b2"
        },
        {
            "last_affected": "9.12.0-b2"
        },
        {
            "introduced": "9.12.0-rc1"
        },
        {
            "last_affected": "9.12.0-rc1"
        },
        {
            "introduced": "9.12.0-rc3"
        },
        {
            "last_affected": "9.12.0-rc3"
        },
        {
            "introduced": "9.12.1"
        },
        {
            "last_affected": "9.12.1"
        },
        {
            "introduced": "9.12.1-p1"
        },
        {
            "last_affected": "9.12.1-p1"
        },
        {
            "introduced": "9.12.1-p2"
        },
        {
            "last_affected": "9.12.1-p2"
        },
        {
            "introduced": "9.13.0"
        },
        {
            "last_affected": "9.13.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

9.*
9.10.7
9.10.7-s1
9.11.3
9.11.3-s1
9.12.0
9.12.0-a1
9.12.0-b2
9.12.0-rc1
9.12.0-rc3
9.12.1
9.12.1-p1
9.12.1-p2
9.13.0
9.9.12
9.9.12-s1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-5738.json"

Git / gitlab.isc.org/isc-projects/bind9

Affected ranges

Type
GIT
Repo
https://gitlab.isc.org/isc-projects/bind9
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:isc:bind:9.9.12:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.9.12:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.10.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.10.7:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.11.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.11.3:s1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:a1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:b1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:b2:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.0:rc3:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:p1:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.12.1:p2:*:*:*:*:*:*",
        "cpe:2.3:a:isc:bind:9.13.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "9.9.12"
        },
        {
            "last_affected": "9.9.12"
        },
        {
            "introduced": "9.9.12-s1"
        },
        {
            "last_affected": "9.9.12-s1"
        },
        {
            "introduced": "9.10.7"
        },
        {
            "last_affected": "9.10.7"
        },
        {
            "introduced": "9.10.7-s1"
        },
        {
            "last_affected": "9.10.7-s1"
        },
        {
            "introduced": "9.11.3"
        },
        {
            "last_affected": "9.11.3"
        },
        {
            "introduced": "9.11.3-s1"
        },
        {
            "last_affected": "9.11.3-s1"
        },
        {
            "introduced": "9.12.0"
        },
        {
            "last_affected": "9.12.0"
        },
        {
            "introduced": "9.12.0-a1"
        },
        {
            "last_affected": "9.12.0-a1"
        },
        {
            "introduced": "9.12.0-b1"
        },
        {
            "last_affected": "9.12.0-b1"
        },
        {
            "introduced": "9.12.0-b2"
        },
        {
            "last_affected": "9.12.0-b2"
        },
        {
            "introduced": "9.12.0-rc1"
        },
        {
            "last_affected": "9.12.0-rc1"
        },
        {
            "introduced": "9.12.0-rc3"
        },
        {
            "last_affected": "9.12.0-rc3"
        },
        {
            "introduced": "9.12.1"
        },
        {
            "last_affected": "9.12.1"
        },
        {
            "introduced": "9.12.1-p1"
        },
        {
            "last_affected": "9.12.1-p1"
        },
        {
            "introduced": "9.12.1-p2"
        },
        {
            "last_affected": "9.12.1-p2"
        },
        {
            "introduced": "9.13.0"
        },
        {
            "last_affected": "9.13.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

9.*
9.10.7
9.10.7-s1
9.11.3
9.11.3-s1
9.12.0
9.12.0-a1
9.12.0-b2
9.12.0-rc1
9.12.0-rc3
9.12.1
9.12.1-p1
9.12.1-p2
9.13.0
9.9.12
9.9.12-s1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-5738.json"