CVE-2018-5738 — Sensitive Information Exposure in Bind 9
Severity
7.5HIGHNVD
CNA5.3
EPSS
3.3%
top 12.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 16
Latest updateMay 14
Description
Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recu…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5isc/bind_99.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.
Also affects: Ubuntu Linux 18.04
🔴Vulnerability Details
3GHSA▶
GHSA-cg2m-4gq8-j388: Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are pe↗2022-05-14
CVEList▶
Some versions of BIND can improperly permit recursive query service to unauthorized clients↗2019-01-16
OSV▶
CVE-2018-5738: Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are pe↗2019-01-16
📋Vendor Advisories
3💬Community
3Bugzilla▶
CVE-2018-5738 bind99: bind: Improper handling of configuration allows all clients to perform recursive queries [fedora-all]↗2018-06-13
Bugzilla▶
CVE-2018-5738 bind: Improper handling of configuration allows all clients to perform recursive queries [fedora-all]↗2018-06-13
Bugzilla▶
CVE-2018-5738 bind: Improper handling of configuration allows all clients to perform recursive queries↗2018-06-11