CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-12705 – DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
https://notcve.org/view.php?id=CVE-2024-12705
29 Jan 2025 — Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing D... • https://kb.isc.org/docs/cve-2024-12705 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11187 – Many records in the additional section cause CPU exhaustion
https://notcve.org/view.php?id=CVE-2024-11187
29 Jan 2025 — It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 ... • https://kb.isc.org/docs/cve-2024-11187 • CWE-400: Uncontrolled Resource Consumption CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22711 – WordPress Image Source Control Lite Plugin <= 2.29.0 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-22711
15 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thomas Maier Image Source Control allows Reflected XSS. This issue affects Image Source Control: from n/a through 2.29.0. The Image Source Control plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages... • https://patchstack.com/database/wordpress/plugin/image-source-control-isc/vulnerability/wordpress-image-source-control-lite-plugin-2-29-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4076 – Assertion failure when serving both stale cache data and authoritative zone content
https://notcve.org/view.php?id=CVE-2024-4076
23 Jul 2024 — Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las consultas de los clientes que desencadenan la entrega de datos obsoletos y que también requieren búsquedas en datos de la zona autorizada local pueden provoc... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-617: Reachable Assertion •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1975 – SIG(0) can be used to exhaust CPU resources
https://notcve.org/view.php?id=CVE-2024-1975
23 Jul 2024 — If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Si un servidor aloja una zona que contiene ... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1737 – BIND's database will be slow if a very large number of RRs exist at the same name
https://notcve.org/view.php?id=CVE-2024-1737
23 Jul 2024 — Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las cachés de resolución y las base... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 28%CPEs: 2EXPL: 1CVE-2024-0760 – A flood of DNS messages over TCP may make the server unstable
https://notcve.org/view.php?id=CVE-2024-0760
23 Jul 2024 — A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Un cliente malintencionado puede enviar muchos mensajes DNS a través de TCP, lo que podría provocar que el servidor se vuelva inestable mientras el ataque está en cu... • https://github.com/SpiralBL0CK/CVE-2024-0760 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28872 – Incorrect TLS certificate validation can lead to escalated privileges
https://notcve.org/view.php?id=CVE-2024-28872
11 Jul 2024 — The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are pote... • https://kb.isc.org/docs/cve-2024-28872 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6516 – Specific recursive query patterns may lead to an out-of-memory condition
https://notcve.org/view.php?id=CVE-2023-6516
13 Feb 2024 — To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in ... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-400: Uncontrolled Resource Consumption CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4408 – Parsing large DNS messages may cause excessive CPU load
https://notcve.org/view.php?id=CVE-2023-4408
13 Feb 2024 — The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •