CVE-2017-15093 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description
An issue has been found in the API of PowerDNS Recursor < 4.0.7, during a source code audit by Nixu. When 'api-config-dir' is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration.
Group Package Affected Fixed Severity Status Ticket
AVG-520 powerdns-recursor 4.0.6-3 4.0.7-1 Medium Fixed
Date Advisory Group Package Severity Type
27 Nov 2017 ASA-201711-31 AVG-520 powerdns-recursor Medium multiple issues
References
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html
https://github.com/PowerDNS/pdns/commit/badf9e8900428f21585f7f929aeddc87cd0d2069
Notes
Disable the ability to alter the configuration via the API by setting 'api-config-dir' to an empty value (default), or set the API read-only via the 'api-readonly' setting.