CVE-2017-15090Improper Verification of Cryptographic Signature in Recursor

CWE-347Improper Verification of Cryptographic Signature7 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 99.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Powerdns RecursorPowerdns
Timeline
PublishedJan 23
Latest updateMay 13

Description

An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDpowerdns/recursor4.0.04.0.6
CVEListV5powerdns/powerdnsfrom 4.0.0 and up to and including 4.0.6

Patches

Patch: doc.powerdns.comPatch: doc.powerdns.com

🔴Vulnerability Details

3
GHSA
GHSA-pr86-5p67-45rx: An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 42022-05-13
OSV
CVE-2017-15090: An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 42018-01-23
CVEList
CVE-2017-15090: An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 42018-01-23

📋Vendor Advisories

1
Debian
CVE-2017-15090: pdns-recursor - An issue has been found in the DNSSEC validation component of PowerDNS Recursor ...2017

💬Community

2
Bugzilla
CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 CVE-2017-15120 pdns-recursor: various flaws [epel-all]2017-12-11
Bugzilla
CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 pdns-recursor: 4.0.7 release fixing security issues2017-12-11
CVE-2017-15090 — Powerdns Recursor vulnerability | cvebase