CVE-2015-4620 — Missing Initialization of a Variable in Bind

CWE-17 CWE-456 — Missing Initialization of a Variable CWE-617 — Reachable Assertion10 documents9 sources

Severity

7.8HIGHNVD

EPSS

27.2%

top 3.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ISC Bind9 ISC Bind

Timeline

PublishedJul 8

Latest updateMay 14

Description

name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages2 packages

▶Debianisc/bind9< 1:9.9.5.dfsg-10+3

▶NVDisc/bind26 versions+25

🔴Vulnerability Details

GHSA

GHSA-m8gj-8mqg-2pwg: name↗2022-05-14

▶

OSV

CVE-2015-4620: name↗2015-07-08

▶

CVEList

CVE-2015-4620: name↗2015-07-08

▶

📋Vendor Advisories

BSD

FreeBSD-SA-15:11.bind: BIND resolver remote denial of service when validating↗2015-07-07

▶

Ubuntu

Bind vulnerability↗2015-07-07

▶

Red Hat

bind: abort DoS caused by uninitialized value use in isselfsigned()↗2015-07-07

▶

Debian

CVE-2015-4620: bind9 - name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x befor...↗2015

▶

💬Community

Bugzilla

CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned() [fedora-all]↗2015-07-08

▶

Bugzilla

CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()↗2015-06-30

▶