CVE-2022-40188 — Inefficient Algorithmic Complexity in Knot Resolver

CWE-407 — Inefficient Algorithmic Complexity CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cz.nic Knot-resolver NIC Knot Resolver Debian Linux +1 more

Timeline

PublishedSep 23

Latest updateJul 13

Description

Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDnic/knot_resolver< 5.5.3

▶Debiancz.nic/knot-resolver< 5.5.3-1+2

Also affects: Debian Linux 10.0, Fedora 35, 36, 37

🔴Vulnerability Details

GHSA

GHSA-qj7c-f3xj-jxpv: Knot Resolver before 5↗2022-09-25

▶

CVEList

CVE-2022-40188: Knot Resolver before 5↗2022-09-23

▶

OSV

CVE-2022-40188: Knot Resolver before 5↗2022-09-23

▶

📋Vendor Advisories

Ubuntu

Knot Resolver vulnerability↗2023-07-13

▶

Debian

CVE-2022-40188: knot-resolver - Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service ...↗2022

▶