#VU29577 Improper access control in PowerDNS Recursor - CVE-2020-14196
Published: July 8, 2020 / Updated: July 15, 2020
Vulnerability identifier: #VU29577
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2020-14196
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PowerDNS Recursor
PowerDNS Recursor
Software vendor:
PowerDNS.COM B.V.
PowerDNS.COM B.V.
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to ACL applied to the internal web server via "webserver-allow-from" is not properly enforced. A remote attacker can send HTTP queries to the internal web server, bypassing the restriction.
Successful exploitation of the vulnerability requires that the the API webserver is enabled (not the default value).
Remediation
Install updates from vendor's website.