ALPINE-CVE-2020-8617

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2020-8617

Published: 19 May 2020, 14:15

Last modified:03 Dec 2025, 22:47

Vulnerability Summary

Overall Risk (default)

low

24/100

CVSS Score

5.9 MEDIUM

3.1 (osv_alpine)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 May 2020, 14:15

Published

Vulnerability first disclosed

03 Dec 2025, 22:47

Last Modified

Vulnerability information updated

Description

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

CVSS Metrics

v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

alpine•bind
< 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0 | < 9.14.12-r0

References (1)

https://security.alpinelinux.org/vuln/CVE-2020-8617