Описание
Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation
A flaw was found in unbound. The create_unbound_ad_servers.sh bash script does not properly sanitize input data, which is retrieved using an unencrypted, unauthenticated HTTP request, before writing the configuration file allowing a man-in-the-middle attack. The highest threat from this vulnerability is to data integrity and system availability.
Отчет
This issue did not affect the versions of unbound as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable script create_unbound_ad_servers.sh.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | unbound | Out of support scope | ||
| Red Hat Enterprise Linux 7 | unbound | Not affected | ||
| Red Hat Enterprise Linux 8 | unbound | Not affected | ||
| Red Hat Enterprise Linux 9 | unbound | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation
Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation
Unbound before 1.9.5 allows configuration injection in create_unbound_ ...
Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session.
Уязвимость компонента create_unbound_ad_servers.sh DNS-сервера Unbound, позволяющая нарушителю оказать воздействие на целостность данных
EPSS
5.9 Medium
CVSS3