CVE-2015-5470

2015-11-0219:59:09

CWE-399

[email protected]

web.nvd.nist.gov

cve-2015-5470

powerdns

recursor

auth server

denial of service

cpu consumption

crash

nvd

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

6.4 Medium

AI Score

Confidence

Low

0.045 Low

EPSS

Percentile

92.6%

JSON

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1868.

Affected configurations

NVD

Node

powerdnsauthoritativeRange≤3.3.2

powerdnsauthoritativeMatch3.4.0

powerdnsauthoritativeMatch3.4.1

powerdnsauthoritativeMatch3.4.2

powerdnsauthoritativeMatch3.4.3

powerdnsauthoritativeMatch3.4.4

Node

powerdnsrecursorRange≤3.6.3

powerdnsrecursorMatch3.7.1

powerdnsrecursorMatch3.7.2

CPENameOperatorVersion
powerdns:authoritativepowerdns authoritativele3.3.2
powerdns:authoritativepowerdns authoritativeeq3.4.0
powerdns:authoritativepowerdns authoritativeeq3.4.1
powerdns:authoritativepowerdns authoritativeeq3.4.2
powerdns:authoritativepowerdns authoritativeeq3.4.3
powerdns:authoritativepowerdns authoritativeeq3.4.4

CPE	Name	Operator	Version
powerdns:authoritative	powerdns authoritative	le	3.3.2
powerdns:authoritative	powerdns authoritative	eq	3.4.0
powerdns:authoritative	powerdns authoritative	eq	3.4.1
powerdns:authoritative	powerdns authoritative	eq	3.4.2
powerdns:authoritative	powerdns authoritative	eq	3.4.3
powerdns:authoritative	powerdns authoritative	eq	3.4.4