CVE-2020-14196 log

Source
Severity Low
Remote Yes
Type Access restriction bypass
Description
An issue has been found in PowerDNS Recursor before 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected.

Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.
Group Package Affected Fixed Severity Status Ticket
AVG-1199 powerdns-recursor 4.3.1-1 4.3.2-1 Low Fixed
References
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
https://github.com/PowerDNS/pdns/commit/3bba454b35c883d20297a772c13f3e82b115ac88