CVE-2023-29483

Опубликовано: 11 апр. 2024

Источник: nvd

CVSS3: 7

EPSS Низкий

Описание

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Ссылки

https://github.com/eventlet/eventlet/issues/913
Exploit
Issue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Release Notes
https://github.com/rthalley/dnspython/issues/1045
Exploit
Issue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0001/
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
Third Party Advisory
https://www.dnspython.org/
Product
https://github.com/eventlet/eventlet/issues/913
Exploit
Issue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Release Notes
https://github.com/rthalley/dnspython/issues/1045
Exploit
Issue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0001/
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
Third Party Advisory
https://www.dnspython.org/
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:eventlet:eventlet:*:*:*:*:*:*:*:*

Версия до 0.35.2 (исключая)

Конфигурация 2

cpe:2.3:a:dnspython:dnspython:*:*:*:*:*:*:*:*

Версия до 2.6.0 (исключая)

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

EPSS

Процентиль: 77%

0.01121

Низкий

7 High

CVSS3

Дефекты

CWE-292

Связанные уязвимости

CVE-2023-29483

CVSS3: 7

ubuntu

около 1 года назад

CVE-2023-29483

CVSS3: 5.9

redhat

больше 1 года назад

CVE-2023-29483

CVSS3: 7

debian

около 1 года назад

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remo ...

SUSE-SU-2024:3298-1

suse-cvrf

9 месяцев назад

Security update for python-dnspython

SUSE-SU-2024:3297-1

suse-cvrf

9 месяцев назад

Security update for python-dnspython

EPSS

Процентиль: 77%

0.01121

Низкий

7 High

CVSS3

Дефекты

CWE-292