General : PowerDNS Authoritative Server RESTful Vulnerability

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.142146

Kategorie: General

Titel: PowerDNS Authoritative Server RESTful Vulnerability

Zusammenfassung: An issue has been found in PowerDNS Authoritative Server when the HTTP remote;backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect;to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a;denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can;time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the;configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.

Beschreibung: Summary:
An issue has been found in PowerDNS Authoritative Server when the HTTP remote
backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect
to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a
denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can
time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the
configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.

Affected Software/OS:
PowerDNS Authoritative up to and including 4.1.6.

Solution:
Upgrade to version 4.0.7, 4.1.7 or later.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-3871
BugTraq ID: 107491
http://www.securityfocus.com/bid/107491
Bugtraq: 20190404 [SECURITY] [DSA 4424-1] pdns security update (Google Search)
https://seclists.org/bugtraq/2019/Apr/8
Debian Security Information: DSA-4424 (Google Search)
https://www.debian.org/security/2019/dsa-4424
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
https://lists.debian.org/debian-lts-announce/2019/03/msg00039.html
http://www.openwall.com/lists/oss-security/2019/03/18/4
SuSE Security Announcement: openSUSE-SU-2019:1128 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00022.html

Copyright Copyright (C) 2019 Greenbone Networks GmbH

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.142146
Kategorie:	General
Titel:	PowerDNS Authoritative Server RESTful Vulnerability
Zusammenfassung:	An issue has been found in PowerDNS Authoritative Server when the HTTP remote;backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect;to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a;denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can;time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the;configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.
Beschreibung:	Summary: An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers. Affected Software/OS: PowerDNS Authoritative up to and including 4.1.6. Solution: Upgrade to version 4.0.7, 4.1.7 or later. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-3871 BugTraq ID: 107491 http://www.securityfocus.com/bid/107491 Bugtraq: 20190404 [SECURITY] [DSA 4424-1] pdns security update (Google Search) https://seclists.org/bugtraq/2019/Apr/8 Debian Security Information: DSA-4424 (Google Search) https://www.debian.org/security/2019/dsa-4424 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/ https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html https://lists.debian.org/debian-lts-announce/2019/03/msg00039.html http://www.openwall.com/lists/oss-security/2019/03/18/4 SuSE Security Announcement: openSUSE-SU-2019:1128 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00022.html
Copyright	Copyright (C) 2019 Greenbone Networks GmbH