CVE-2020-24698: Double Free
First published: Fri Oct 02 2020(Updated: )
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution. by sending crafted queries with a GSS-TSIG signature.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PowerDNS Authoritative | <=4.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-24698?
CVE-2020-24698 is a vulnerability in PowerDNS Authoritative through version 4.3.0, when --enable-experimental-gss-tsig is used, that allows a remote, unauthenticated attacker to cause a double-free, leading to a crash or possibly arbitrary code execution.
How does CVE-2020-24698 affect PowerDNS Authoritative?
CVE-2020-24698 affects PowerDNS Authoritative versions up to and including 4.3.0 when the --enable-experimental-gss-tsig configuration option is enabled.
What is the severity of CVE-2020-24698?
CVE-2020-24698 has a severity rating of 9.8 (critical).
How can an attacker exploit CVE-2020-24698?
An attacker can exploit CVE-2020-24698 by sending crafted queries with a GSS-TSIG signature.
Is there a fix available for CVE-2020-24698?
Yes, a fix for CVE-2020-24698 is available in PowerDNS Authoritative versions after 4.3.0.
- collector/nvd-index
- vendor/powerdns
- canonical/powerdns authoritative
- version/powerdns authoritative/4.3.0