CVE-2020-8616
Severity
8.6HIGH
EPSS
19.4%
top 4.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 19
Latest updateMay 24
Description
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this be…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0
Affected Packages4 packages
▶CVEListV5isc/bind99.0.0 -> 9.11.18, 9.12.0 -> 9.12.4-P2, 9.14.0 -> 9.14.11, 9.16.0 -> 9.16.2, and releases 9.17.0 -> 9.17.1 of the 9.17 experimental development branch. All releases in the obsolete 9.13 and 9.15 development branches. All releases of BIND Supported Preview Edition from 9.9.3-S1 -> 9.11.18-S1
Also affects: Debian Linux 10.0, 9.0
Patches
🔴Vulnerability Details
5GHSA▶
GHSA-rc96-hg8v-6p4g: A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, throu↗2022-05-24
OSV▶
CVE-2020-8616: A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, throu↗2020-05-19
CVEList▶
BIND does not sufficiently limit the number of fetches performed when processing referrals↗2020-05-19