CVE-2017-9107

EPSS 0.53%
Published 18.06.2020 14:15:10
Last modified 21.11.2024 03:35:20
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in adns before 1.5.2. It overruns reading a buffer if a domain ends with backslash. If the query domain ended with \, and adns_qf_quoteok_query was specified, qdparselabel would read additional bytes from the buffer and try to treat them as the escape sequence. It would depart the input buffer and start processing many bytes of arbitrary heap data as if it were the query domain. Eventually it would run out of input or find some other kind of error, and declare the query domain invalid. But before then it might outrun available memory and crash. In principle this could be a denial of service attack.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Gnu ≫ Adns Version < 1.5.2

Fedoraproject ≫ Fedora Version31

Fedoraproject ≫ Fedora Version32

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.53%	0.646

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git

Third Party Advisory

http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ/

https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html

Third Party Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2017-9107

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-9107

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-9107

EUVD