CVE-2020-14196 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Access restriction bypass
Description	An issue has been found in PowerDNS Recursor before 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected. Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1199	powerdns-recursor	4.3.1-1	4.3.2-1	Low	Fixed

References
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html https://github.com/PowerDNS/pdns/commit/3bba454b35c883d20297a772c13f3e82b115ac88