CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15092
https://notcve.org/view.php?id=CVE-2017-15092
23 Jan 2018 — A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content. Se ha encontrado un problema de Cross-Site Scripting (XSS) en la interfaz web de PowerDNS Recursor, desde la versión 4.0.0 hasta la versión 4.0.6, también incluida, en la que el qname de las consultas DNS se mostr... • http://www.securityfocus.com/bid/101982 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-15093
https://notcve.org/view.php?id=CVE-2017-15093
23 Jan 2018 — When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration. Cua... • http://www.securityfocus.com/bid/101982 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15094
https://notcve.org/view.php?id=CVE-2017-15094
23 Jan 2018 — An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 up to and including 4.0.6 leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). Se ha encontrado un problema en el código de análisis DNSSEC de PowerDNS Recursor, desde la versión 4.0.0 hasta la 4.0.6, también incluida, lo que conduce a una fuga de memoria al analizar claves ... • http://www.securityfocus.com/bid/101982 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000003
https://notcve.org/view.php?id=CVE-2018-1000003
22 Jan 2018 — Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay. Errores de validación indebida de entradas en los componentes de validadores DNSSEC en PowerDNS 4.1.0 permiten que un atacante Man-in-the-Middle (MitM) niegue la existencia de algunos datos en DNS mediante la reproducción de paquetes. • https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2016-7068 – Debian Security Advisory 3764-1
https://notcve.org/view.php?id=CVE-2016-7068
15 Jan 2017 — An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query contain... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7068 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2016-7073 – Debian Security Advisory 3764-1
https://notcve.org/view.php?id=CVE-2016-7073
15 Jan 2017 — An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check of the TSIG time and fudge values was found in AXFRRetriever, leading to a possible replay attack. Se ha descubierto un problema en PowerDNS en versiones anteriores a la 3.4.11 y 4.0.2, y PowerDNS recursor en versiones anteriores a la 4.0.4, lo que permite q... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7073 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2016-7074 – Debian Security Advisory 3764-1
https://notcve.org/view.php?id=CVE-2016-7074
15 Jan 2017 — An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. Se ha descubierto un problema en PowerDNS en versiones anteriores a la 3.4.11 y 4.0.2, y PowerDNS recursor en versiones anteriores... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7074 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 1%CPEs: 9EXPL: 0CVE-2015-5470
https://notcve.org/view.php?id=CVE-2015-5470
02 Nov 2015 — The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1868. La funcionalidad de descompresión de etiqueta en PowerDNS Recursor en versiones anteriores a 3.6.4 y 3.7.x en versiones anteriores a 3.... • http://www.openwall.com/lists/oss-security/2015/07/07/6 • CWE-399: Resource Management Errors •
CVSS: 7.8EPSS: 53%CPEs: 19EXPL: 0CVE-2015-1868 – Debian Security Advisory 3306-1
https://notcve.org/view.php?id=CVE-2015-1868
18 May 2015 — The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself. La funcionalidad de la decompresión de etiquetas en PowerDNS Recursor 3.5.x, 3.6.x anterior a 3.6.3, y 3.7.x anterior a 3.7.2 y Authoritative (Auth) Server 3.2.x, 3.3.x anterior a 3.3.2, y 3.4... • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156648.html • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8601 – Gentoo Linux Security Advisory 201412-33
https://notcve.org/view.php?id=CVE-2014-8601
10 Dec 2014 — PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it. PowerDNS Recursor en versiones anteriores a 3.6.2 no limita el encadenamiento de delegación, lo que permite a atacantes remotos provocar una denegación de servicio ("degradaciones de rendimiento") a través un número largo o infinito de referencias, según ... • http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html • CWE-399: Resource Management Errors •