DEBIAN-CVE-2017-15093

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2017-15093

Published: 23 Jan 2018, 15:29

Last modified:28 Apr 2026, 20:16

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

3.0 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

23 Jan 2018, 15:29

Published

Vulnerability first disclosed

28 Apr 2026, 20:16

Last Modified

Vulnerability information updated

Description

When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.

CVSS Metrics

v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Systems

debian•pdns-recursor
< 4.0.7-1 | < 4.0.7-1 | < 4.0.7-1 | < 4.0.7-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2017-15093