Description
PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.
References (11)
Core 11
Core References
Release Notes x_refsource_confirm
https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-401
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3664
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036242
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/07/06/3
Issue Tracking x_refsource_confirm
https://github.com/PowerDNS/pdns/issues/4128
Issue Tracking x_refsource_confirm
https://github.com/PowerDNS/pdns/issues/4133
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91678
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html
Issue Tracking x_refsource_confirm
https://github.com/PowerDNS/pdns/pull/4134
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-08/msg00085.html
Patch x_refsource_misc
https://github.com/sischkg/xfer-limit/blob/master/README.md
Scores
CVSS v3
6.8
EPSS
0.0002
EPSS Percentile
5.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (3)
opensuse/leap
42.1
opensuse/opensuse
13.2
powerdns/authoritative_server
< 4.0.0
Published
Sep 26, 2016
Tracked Since
Feb 18, 2026