CVE-2024-25638

HIGH

dnsjava - RCE

Title source: llm

Description

dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

References (3)

[Patch] https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d

[Vendor Advisory] https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw

[Patch] https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705

View Patch ZIP pw:eip

Scores

CVSS v3 8.9

EPSS 0.0019

EPSS Percentile 40.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-345 CWE-349

Status published

Products (2)

dnsjava/dnsjava 0 - 3.6.0Maven

dnsjava/dnsjava < 3.6.0

Published Jul 22, 2024

Tracked Since Feb 18, 2026