CVE-2023-22617

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/01/20/1	Mailing List Release Notes Third Party Advisory
https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1	Release Notes Vendor Advisory
https://docs.powerdns.com/recursor/security-advisories/	Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/01/20/1	Mailing List Release Notes Third Party Advisory
https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1	Release Notes Vendor Advisory
https://docs.powerdns.com/recursor/security-advisories/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:powerdns:recursor:4.8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:45

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2023/01/20/1 - Mailing List, Release Notes, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2023/01/20/1 - Mailing List, Release Notes, Third Party Advisory
References	~~() https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1 - Release Notes, Vendor Advisory~~	() https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1 - Release Notes, Vendor Advisory
References	~~() https://docs.powerdns.com/recursor/security-advisories/ - Vendor Advisory~~	() https://docs.powerdns.com/recursor/security-advisories/ - Vendor Advisory

Information

Published : 2023-01-21 19:15

Updated : 2025-04-03 15:15

NVD link : CVE-2023-22617

Mitre link : CVE-2023-22617

CVE.ORG link : CVE-2023-22617

JSON object : View

Products Affected

powerdns

recursor

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2023-22617", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-01-21T19:15:11.077", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/01/20/1", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.powerdns.com/recursor/security-advisories/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/01/20/1", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.powerdns.com/recursor/security-advisories/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1."}, {"lang": "es", "value": "Un atacante remoto podr\u00eda provocar una recursividad infinita en PowerDNS Recursor 4.8.0 a trav\u00e9s de una consulta DNS que recupera registros DS para un dominio mal configurado, porque la minimizaci\u00f3n de QName se utiliza en el modo de reserva de QM. Esto se solucion\u00f3 en 4.8.1."}], "lastModified": "2025-04-03T15:15:42.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:4.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "555D9C8B-4356-4078-8515-81F9C3B6CF74"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}