CVE-2019-3871 - log back

CVE-2019-3871 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Insufficient validation
Description
+ An issue has been found in PowerDNS Authoritative Server before 4.1.7, when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.
References
+ https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
+ https://github.com/PowerDNS/pdns/issues/7573
+ https://github.com/PowerDNS/pdns/pull/7577
Notes