CVE-2023-29483

Опубликовано: 11 апр. 2024

Источник: nvd

CVSS3: 7

EPSS Низкий

Описание

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Ссылки

https://github.com/eventlet/eventlet/issues/913
Exploit
Issue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Release Notes
https://github.com/rthalley/dnspython/issues/1045
Exploit
Issue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0001/
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
Third Party Advisory
https://www.dnspython.org/
Product
https://github.com/eventlet/eventlet/issues/913
Exploit
Issue Tracking
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Release Notes
https://github.com/rthalley/dnspython/issues/1045
Exploit
Issue Tracking
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0001/
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
Third Party Advisory
https://www.dnspython.org/
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:eventlet:eventlet:*:*:*:*:*:*:*:*

Версия до 0.35.2 (исключая)

Конфигурация 2

cpe:2.3:a:dnspython:dnspython:*:*:*:*:*:*:*:*

Версия до 2.6.0 (исключая)

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

EPSS

Процентиль: 87%

0.03636

Низкий

7 High

CVSS3

Дефекты

CWE-292

Связанные уязвимости

CVE-2023-29483

CVSS3: 7

ubuntu

больше 1 года назад

CVE-2023-29483

CVSS3: 5.9

redhat

больше 1 года назад

CVE-2023-29483

CVSS3: 7

debian

больше 1 года назад

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remo ...

SUSE-SU-2024:3298-1

suse-cvrf

11 месяцев назад

Security update for python-dnspython

SUSE-SU-2024:3297-1

suse-cvrf

11 месяцев назад

Security update for python-dnspython

EPSS

Процентиль: 87%

0.03636

Низкий

7 High

CVSS3

Дефекты

CWE-292