CVE-2020-19860

2022-01-2114:15:07

Debian Security Bug Tracker

security-tracker.debian.org

ldns version

heap out of bounds

vulnerability

zone file

payload

unix

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

52.0%

JSON

When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. An attacker can leak information on the heap by constructing a zone file payload.

OSVersionArchitecturePackageVersionFilename
Debian12allldns< 1.8.1-1ldns_1.8.1-1_all.deb
Debian11allldns<= 1.7.1-2ldns_1.7.1-2_all.deb
Debian999allldns< 1.8.1-1ldns_1.8.1-1_all.deb
Debian13allldns< 1.8.1-1ldns_1.8.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ldns	< 1.8.1-1	ldns_1.8.1-1_all.deb
Debian	11	all	ldns	<= 1.7.1-2	ldns_1.7.1-2_all.deb
Debian	999	all	ldns	< 1.8.1-1	ldns_1.8.1-1_all.deb
Debian	13	all	ldns	< 1.8.1-1	ldns_1.8.1-1_all.deb