CVE-2023-29483
Aliases:GHSA-3rq5-2g8h-59hc
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 11 Apr 2024, 00:00
Last modified:04 Nov 2025, 17:12
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7 HIGH
v3.1 (cve.org)
EPSS Score
8.39% LOW
8% probability +3.43%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
11 Apr 2024, 00:00
Published
Vulnerability first disclosed
04 Nov 2025, 17:12
Last Modified
Vulnerability information updated
Description
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
CVSS Metrics
- v3.1•HIGH•Score: 7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
- v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 8.39%• Percentile: 92%
Techniques & Countermeasures
- CWE-292•DEPRECATED: Trusting Self-reported DNS Name
This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
Affected Systems
- dnspython•dnspython
< 2.6.0
- eventlet•eventlet
< 0.35.2
- fedoraproject•fedora
38 | 39 | 40
- netapp•bootstrap_os
na
- PyPI•dnspython
< 2.6.1
- PyPI•eventlet
< 0.35.2
References (21)
- https://www.dnspython.org/
- https://github.com/rthalley/dnspython/releases/tag/v2.6.0
- https://github.com/rthalley/dnspython/issues/1045
- https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
- https://github.com/eventlet/eventlet/issues/913
- https://github.com/eventlet/eventlet/releases/tag/v0.35.2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
- https://security.netapp.com/advisory/ntap-20240510-0001/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
- https://nvd.nist.gov/vuln/detail/CVE-2023-29483
- https://github.com/eventlet/eventlet/commit/51e3c4928d4938beb576eff34f3bf97e6e64e6b4
- https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2
- https://github.com/eventlet/eventlet
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF
- https://security.netapp.com/advisory/ntap-20240510-0001
- https://www.dnspython.org