CVE-2017-15094Missing Release of Memory after Effective Lifetime in Recursor

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime7 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 99.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Powerdns RecursorPowerdns Recursor
Timeline
PublishedJan 23
Latest updateMay 13

Description

An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 up to and including 4.0.6 leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default).

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDpowerdns/recursor4.0.04.0.6
CVEListV5powerdns/powerdns_recursorfrom 4.0.0 up to and including 4.0.6

Patches

Patch: doc.powerdns.comPatch: doc.powerdns.com

🔴Vulnerability Details

3
GHSA
GHSA-q452-p523-w4f9: An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 42022-05-13
OSV
CVE-2017-15094: An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 42018-01-23
CVEList
CVE-2017-15094: An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 42018-01-23

📋Vendor Advisories

1
Debian
CVE-2017-15094: pdns-recursor - An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0...2017

💬Community

2
Bugzilla
CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 CVE-2017-15120 pdns-recursor: various flaws [epel-all]2017-12-11
Bugzilla
CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 pdns-recursor: 4.0.7 release fixing security issues2017-12-11
CVE-2017-15094 — Powerdns Recursor vulnerability | cvebase