CVE-2017-15091

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

Published: Jan 23, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-15091
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P

CWEs:

CWE-358

Affected Software
References

Software	From	Fixed in
powerdns / authoritative	4.0.0	4.0.4.x
powerdns / authoritative	3.0	3.4.11.x

http://www.securityfocus.com/bid/101982
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html

Vulnerability Database

289,697

CVE-2017-15091