SB2017121530 - Improper access control in pdns (Alpine package)
Published: December 15, 2017
Security Bulletin ID
SB2017121530
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper access control (CVE-ID: CVE-2017-15091)
The vulnerability allows a remote attacker to modify arbitrary data on the target system.The weakness exists due to insufficient validation of the API component of PowerDNS Authoritative. A remote attacker with valid API credentials can configure the API as read-only via the api-readonly keyword, flush the cache, trigger a zone transfer or send a NOTIFY.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d6336af0a3286c8c01568fa8b645c482f4d06d7e
- https://git.alpinelinux.org/aports/commit/?id=943fe828eb474fd0c86ec357c79b053b6b7c469a
- https://git.alpinelinux.org/aports/commit/?id=11695c47fbbbe890b37c4036e7141e1b560ea2a6
- https://git.alpinelinux.org/aports/commit/?id=87b60f8f5ff6e721001f6740d9b3b1da8396deee