CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.9%
Severity: High
Date : 2019-03-22
CVE-ID : CVE-2019-3871
Package : powerdns
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-927
The package powerdns before version 4.1.7-1 is vulnerable to
insufficient validation.
Upgrade to 4.1.7-1.
The problem has been fixed upstream in version 4.1.7.
None.
An issue has been found in PowerDNS Authoritative Server before 4.1.7,
when the HTTP remote backend is used in RESTful mode (without post=1
set), allowing a remote user to cause the HTTP backend to connect to an
attacker-specified host instead of the configured one, via a crafted
DNS query. This can be used to cause a denial of service by preventing
the remote backend from getting a response, content spoofing if the
attacker can time its own query so that subsequent queries will use an
attacker-controlled HTTP server instead of the configured one, and
possibly information disclosure if the Authoritative Server has access
to internal servers.
A remote user can cause a denial of service by preventing the remote
backend from getting a response, content spoofing if the attacker can
time its own query so that subsequent queries will use an attacker-
controlled HTTP server instead of the configured one, and possibly
information disclosure if the Authoritative Server has access to
internal servers.
https://seclists.org/oss-sec/2019/q1/185
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
https://github.com/PowerDNS/pdns/issues/7573
https://github.com/PowerDNS/pdns/pull/7577
https://security.archlinux.org/CVE-2019-3871
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.9%