CVE-2020-14196 log

Severity Low
Remote Yes
Type Access restriction bypass
An issue has been found in PowerDNS Recursor before 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected.

Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.
Group Package Affected Fixed Severity Status Ticket
AVG-1199 powerdns-recursor 4.3.1-1 4.3.2-1 Low Fixed