CVE-2023-29483 — DEPRECATED: Trusting Self-reported DNS Name in Dnspython

CWE-292 — DEPRECATED: Trusting Self-reported DNS Name CWE-696 — Incorrect Behavior Order7 documents6 sources

Severity

7.0HIGHNVD

EPSS

5.0%

top 10.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dnspython Eventlet Fedoraproject Fedora

Timeline

PublishedApr 11

Description

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 2.2 | Impact: 4.7

Affected Packages5 packages

▶NVDdnspython/dnspython< 2.6.0

▶PyPIdnspython/dnspython< 2.6.1

▶Debiandnspython/dnspython< 2.6.0-1+1

▶NVDeventlet/eventlet< 0.35.2

▶PyPIeventlet/eventlet< 0.35.2

Also affects: Fedora 38, 39, 40

🔴Vulnerability Details

GHSA

Potential DoS via the Tudoor mechanism in eventlet and dnspython↗2024-04-11

▶

OSV

CVE-2023-29483: eventlet before 0↗2024-04-11

▶

CVEList

CVE-2023-29483: eventlet before 0↗2024-04-11

▶

OSV

Potential DoS via the Tudoor mechanism in eventlet and dnspython↗2024-04-11

▶

📋Vendor Advisories

Red Hat

dnspython: denial of service in stub resolver↗2024-02-09

▶

Debian

CVE-2023-29483: dnspython - eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attacke...↗2023

▶