CVE-2019-3871 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Insufficient validation
Description	An issue has been found in PowerDNS Authoritative Server before 4.1.7, when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-927	powerdns	4.1.6-2	4.1.7-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Mar 2019	ASA-201903-13	AVG-927	powerdns	High	insufficient validation

References
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html https://github.com/PowerDNS/pdns/issues/7573 https://github.com/PowerDNS/pdns/pull/7577