CVE-2017-15091
CVE-2017-15091, security advisory, novell, suse linux, suse, security, cve

CVE-2017-15091

Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2017-15091 at MITRE

Description

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5.5
Vector AV:N/AC:L/Au:S/C:N/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact None
Integrity Impact Partial
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.1
Vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Access Vector Network
Access Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact Low
Availability Impact High
SUSE Bugzilla entry: 1069242 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.2
  • pdns >= 3.4.9-5.3.1
  • pdns-backend-ldap >= 3.4.9-5.3.1
  • pdns-backend-ldap-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-lua >= 3.4.9-5.3.1
  • pdns-backend-lua-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-mydns >= 3.4.9-5.3.1
  • pdns-backend-mydns-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-mysql >= 3.4.9-5.3.1
  • pdns-backend-mysql-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-postgresql >= 3.4.9-5.3.1
  • pdns-backend-postgresql-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-sqlite3 >= 3.4.9-5.3.1
  • pdns-backend-sqlite3-debuginfo >= 3.4.9-5.3.1
  • pdns-debuginfo >= 3.4.9-5.3.1
  • pdns-debugsource >= 3.4.9-5.3.1
Patchnames:
openSUSE-2017-1340
openSUSE Leap 42.3
  • pdns >= 4.0.3-9.1
  • pdns-backend-geoip >= 4.0.3-9.1
  • pdns-backend-geoip-debuginfo >= 4.0.3-9.1
  • pdns-backend-godbc >= 4.0.3-9.1
  • pdns-backend-godbc-debuginfo >= 4.0.3-9.1
  • pdns-backend-ldap >= 4.0.3-9.1
  • pdns-backend-ldap-debuginfo >= 4.0.3-9.1
  • pdns-backend-lua >= 4.0.3-9.1
  • pdns-backend-lua-debuginfo >= 4.0.3-9.1
  • pdns-backend-mydns >= 4.0.3-9.1
  • pdns-backend-mydns-debuginfo >= 4.0.3-9.1
  • pdns-backend-mysql >= 4.0.3-9.1
  • pdns-backend-mysql-debuginfo >= 4.0.3-9.1
  • pdns-backend-postgresql >= 4.0.3-9.1
  • pdns-backend-postgresql-debuginfo >= 4.0.3-9.1
  • pdns-backend-remote >= 4.0.3-9.1
  • pdns-backend-remote-debuginfo >= 4.0.3-9.1
  • pdns-backend-sqlite3 >= 4.0.3-9.1
  • pdns-backend-sqlite3-debuginfo >= 4.0.3-9.1
  • pdns-debuginfo >= 4.0.3-9.1
  • pdns-debugsource >= 4.0.3-9.1
Patchnames:
openSUSE-2017-1340