CVE-2019-3871
MEDIUMPowerDNS Authoritative Server < 4.0.7 and < 4.1.7 - Denial of Service via HTTP Connector Remote Backend
Title source: llmDescription
A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response
References (10)
Core 10
Core References
Exploit, Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/03/18/4
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3871
Vendor Advisory x_refsource_misc
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107491
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00039.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00022.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4424
Mailing List mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/8
Scores
CVSS v3
6.5
EPSS
0.1286
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Details
CWE
CWE-20
Status
published
Products (3)
fedoraproject/fedora
28
fedoraproject/fedora
29
powerdns/authoritative_server
< 4.0.7
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026