Unrated severityNVD Advisory· Published Jan 23, 2018· Updated Aug 5, 2024

CVE-2017-15091

Description

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

Affected products

osv-coords
pkg:rpm/opensuse/pdns&distro=openSUSE%20Tumbleweed
Range: < 4.5.1-1.5
PowerDNS/PowerDNS Authoritativev5
Range: 4.x up to and including 4.0.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/101982mitrevdb-entryx_refsource_BID
doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.htmlmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000