CVE-2019-3871: Input Validation
First published: Tue Mar 19 2019(Updated: )
A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/pdns | 4.1.6-3+deb10u1 4.4.1-1 4.7.3-2 4.8.3-1 | |
| debian/pdns | <=4.1.6-1<=4.0.3-1+deb9u3<=4.0.3-1 | 4.0.3-1+deb9u4 4.1.6-2 4.2.0-1 |
| PowerDNS Authoritative Server | <4.0.7 | |
| PowerDNS Authoritative Server | >=4.1.0<4.1.7 | |
| Fedoraproject Fedora | =28 | |
| Fedoraproject Fedora | =29 | |
| <4.0.7 | ||
| >=4.1.0<4.1.7 | ||
| =28 | ||
| =29 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/PowerDNS/pdns/issues/7573
- https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
- https://downloads.powerdns.com/patches/2019-03/
- https://security-tracker.debian.org/tracker/CVE-2019-3871
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3871
- https://www.openwall.com/lists/oss-security/2019/03/18/4
- https://salsa.debian.org/dns-team/pdns/merge_requests/1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924966
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00022.html
- http://www.openwall.com/lists/oss-security/2019/03/18/4
- http://www.securityfocus.com/bid/107491
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3871
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
- https://seclists.org/bugtraq/2019/Apr/8
- https://www.debian.org/security/2019/dsa-4424
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWUHF6MRSQ3YO7UUISGLV7MXCAGBW2VD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
Frequently Asked Questions
What is CVE-2019-3871?
CVE-2019-3871 is a vulnerability found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7.
How severe is CVE-2019-3871?
CVE-2019-3871 has a severity rating of 8.8 (high).
How can CVE-2019-3871 be exploited?
CVE-2019-3871 can be exploited by a remote user to cause a denial of service by making a HTTP request from a DNS query in the HTTP Connector of the Remote backend.
What is the affected software?
PowerDNS Authoritative Server versions before 4.0.7 and before 4.1.7 are affected.
How can I fix CVE-2019-3871?
To fix CVE-2019-3871, update PowerDNS Authoritative Server to version 4.0.7 or 4.1.7.
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2019-3871
- collector/nvd-index
- agent/remedy
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/debian
- vendor/powerdns
- canonical/powerdns authoritative server
- version/powerdns authoritative server/4.1.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/28
- version/fedoraproject fedora/29