CVE-2023-31442

EPSS 0.12%
Veröffentlicht 11.05.2023 02:15:09
Zuletzt bearbeitet 27.01.2025 17:15:13
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lightbend ≫ Akka Actor Version >= 2.5.14 < 2.8.1

Lightbend ≫ Akka Discovery Version < 2.8.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.315

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

https://akka.io/security/akka-async-dns-2023-31442.html

Vendor Advisory

https://lightbend.com

Product

https://nvd.nist.gov/vuln/detail/CVE-2023-31442

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31442

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31442

EUVD