CVE-2020-10772Insufficient Control of Network Message Volume (Network Amplification) in Unbound

CWE-406Insufficient Control of Network Message Volume (Network Amplification)CWE-400Uncontrolled Resource Consumption6 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 46.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nlnetlabs Unbound
Timeline
PublishedNov 27
Latest updateMay 24

Description

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5nlnetlabs/unboundunbound-1.6.6-5.el7_8
NVDnlnetlabs/unbound1.6.6-5

🔴Vulnerability Details

2
GHSA
GHSA-g6qm-p3jr-vj64: An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:24142022-05-24
CVEList
CVE-2020-10772: An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:24142020-11-27

📋Vendor Advisories

2
Red Hat
unbound: incomplete fix for CVE-2020-12662 in RHEL72020-06-10
Debian
CVE-2020-10772: unbound - An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterpri...2020

💬Community

1
Bugzilla
CVE-2020-10772 unbound: incomplete fix for CVE-2020-12662 in RHEL72020-06-10
CVE-2020-10772 — Nlnetlabs Unbound vulnerability | cvebase