CVE-2015-5470
high
CVSS v3
—
CVSS v2
7.8
VIR risk
7.8
Description
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1868.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-5470
Vendor advisory: cve@mitre.org — https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 3.4.5-1 |
| debian | bullseye | fixed | 3.4.5-1 |
| debian | forky | fixed | 3.4.5-1 |
| debian | sid | fixed | 3.4.5-1 |
| debian | trixie | fixed | 3.4.5-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| powerdns | authoritative | {"endIncluding":"3.3.2"} | |
| powerdns | authoritative | 3.4.0 | |
| powerdns | authoritative | 3.4.1 | |
| powerdns | authoritative | 3.4.2 | |
| powerdns | authoritative | 3.4.3 | |
| powerdns | authoritative | 3.4.4 | |
| powerdns | recursor | {"endIncluding":"3.6.3"} | |
| powerdns | recursor | 3.7.1 | |
| powerdns | recursor | 3.7.2 | |
References
CWEs
CWE-399
Verify integrity in audit chain (admin only). AS-IS.