CVE-2017-15105

MEDIUM

Unbound <1.6.8 - Info Disclosure

Title source: llm

Description

A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.

References (5)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/102817

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/02/msg00022.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/01/msg00039.html

[Patch, Vendor Advisory] https://unbound.net/downloads/CVE-2017-15105.txt

[Third Party Advisory] https://usn.ubuntu.com/3673-1/

Scores

CVSS v3 5.3

EPSS 0.0069

EPSS Percentile 71.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-358 CWE-20

Status published

Products (7)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 17.10

canonical/ubuntu_linux 18.04

debian/debian_linux 7.0

debian/debian_linux 8.0

nlnetlabs/unbound < 1.6.8

Published Jan 23, 2018

Tracked Since Feb 18, 2026