CVE-2020-14196 - log back

CVE-2020-14196 edited at 07 Jul 2020 15:11:39
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ An issue has been found in PowerDNS Recursor before 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected.
+
+ Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.
References
+ https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
+ https://github.com/PowerDNS/pdns/commit/3bba454b35c883d20297a772c13f3e82b115ac88
Notes
CVE-2020-14196 created at 07 Jul 2020 15:08:25