CVE-2024-8508 — Unchecked Input for Loop Condition in Unbound

CWE-606 — Unchecked Input for Loop Condition CWE-1284 — Improper Validation of Specified Quantity in Input9 documents9 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 54.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nlnetlabs Unbound Nlnet Labs Unbound Debian Linux

Timeline

PublishedOct 3

Latest updateOct 22

Description

NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDnlnetlabs/unbound< 1.21.1

▶Debiannlnetlabs/unbound< 1.13.1-1+deb11u4+3

▶CVEListV5nlnet_labs/unbound1.21.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

OSV

CVE-2024-8508: NLnet Labs Unbound up to and including version 1↗2024-10-03

▶

CVEList

Unbounded name compression could lead to Denial of Service↗2024-10-03

▶

GHSA

GHSA-g7cv-x9wx-38gx: NLnet Labs Unbound up to and including version 1↗2024-10-03

▶

📋Vendor Advisories

Ubuntu

Unbound vulnerability↗2024-10-22

▶

BSD

OpenBSD 7.5 Errata 011: SECURITY FIX↗2024-10-14

▶

Microsoft

Unbounded name compression could lead to Denial of Service↗2024-10-08

▶

Red Hat

unbound: Unbounded name compression could lead to Denial of Service↗2024-10-03

▶

Debian

CVE-2024-8508: unbound - NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability w...↗2024

▶