CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
75.0%
Severity: Medium
Date : 2018-11-12
CVE-ID : CVE-2018-10851 CVE-2018-14626
Package : powerdns
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-804
The package powerdns before version 4.1.5-1 is vulnerable to denial of
service.
Upgrade to 4.1.5-1.
The problems have been fixed upstream in version 4.1.5.
None.
An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5. The issue is due to the fact that
some memory is allocated before the parsing and is not always properly
released if the record is malformed.
In the authoritative server case, it allows an authorized user to cause
a memory leak by inserting a specially crafted record in a zone under
their control, then sending a DNS query for that record. In the case of
the recursor, it allows a malicious authoritative server to cause a
memory leak by sending specially crafted records.
An issue has been found in PowerDNS Authoritative Server before 4.1.5
and PowerDNS Recursor before 4.1.5, allowing a remote user to craft a
DNS query that will cause an answer without DNSSEC records to be
inserted into the packet cache and be returned to clients asking for
DNSSEC records, thus hiding the presence of DNSSEC signatures for a
specific qname and qtype. For a DNSSEC-signed domain, this means that
DNSSEC validating clients will consider the answer to be bogus until it
expires from the packet cache, leading to a denial of service.
A remote attacker might be able to use crafted queries to crash the
PowerDNS server or force it to serve answers without DNSSEC-related
records to DNSSEC-enabled queries, causing validation failures.
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html
https://security.archlinux.org/CVE-2018-10851
https://security.archlinux.org/CVE-2018-14626
docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html
docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html
docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html
security.archlinux.org/AVG-804
security.archlinux.org/CVE-2018-10851
security.archlinux.org/CVE-2018-14626
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
75.0%