CVE-2020-19860 — Out-of-bounds Read in Ldns

CWE-125 — Out-of-bounds Read9 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nlnetlabs Ldns Debian Ldns

Timeline

PublishedJan 21

Latest updateOct 4

Description

When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. An attacker can leak information on the heap by constructing a zone file payload.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/ldns< ldns 1.8.1-1 (bookworm)

▶Debiannlnetlabs/ldns< 1.8.1-1+2

▶Ubuntunlnetlabs/ldns< 1.7.0-3ubuntu4.1+3

▶NVDnlnetlabs/ldns1.7.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

ldns vulnerabilities↗2022-10-04

▶

OSV

ldns vulnerabilities↗2022-01-31

▶

GHSA

GHSA-x6hf-28q4-37gq: When ldns version 1↗2022-01-22

▶

OSV

CVE-2020-19860: When ldns version 1↗2022-01-21

▶

📋Vendor Advisories

Ubuntu

ldns vulnerabilities↗2022-10-04

▶

Ubuntu

ldns vulnerabilities↗2022-01-31

▶

Red Hat

ldns: heap overread vulnerability via zone file↗2022-01-21

▶

Debian

CVE-2020-19860: ldns - When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal f...↗2020

▶