SB2017121530 - Improper access control in pdns (Alpine package)
Published: December 15, 2017
Security Bulletin ID
SB2017121530
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2017-15091)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to modify arbitrary data on the target system.
The weakness exists due to insufficient validation of the API component of PowerDNS Authoritative. A remote attacker with valid API credentials can configure the API as read-only via the api-readonly keyword, flush the cache, trigger a zone transfer or send a NOTIFY.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d6336af0a3286c8c01568fa8b645c482f4d06d7e
- https://git.alpinelinux.org/aports/commit/?id=943fe828eb474fd0c86ec357c79b053b6b7c469a
- https://git.alpinelinux.org/aports/commit/?id=11695c47fbbbe890b37c4036e7141e1b560ea2a6
- https://git.alpinelinux.org/aports/commit/?id=87b60f8f5ff6e721001f6740d9b3b1da8396deee