Описание
Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
A flaw was found in unbound. An integer overflow in dnsc_load_local_data function may lead to a buffer overflow of the allocated buffer if the size can be controlled by an attacker. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Отчет
There is no available reproducer or proof of concept for this issue, nor it was ever proven the integer overflow can lead to a buffer overflow in practice. Indeed in the original report this issue was considered one that might not be triggered and for this reason its Impact is Moderate. Upstream has also disputed this CVE.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | unbound | Out of support scope | ||
| Red Hat Enterprise Linux 7 | unbound | Out of support scope | ||
| Red Hat Enterprise Linux 9 | unbound | Not affected | ||
| Red Hat Enterprise Linux 8 | unbound | Fixed | RHSA-2021:1853 | 18.05.2021 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | unbound | Fixed | RHSA-2022:0632 | 22.02.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
Unbound before 1.9.5 allows an integer overflow in a size calculation ...
Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c.
Уязвимость функции dnsc_load_local_data DNS-сервера Unbound, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
9.8 Critical
CVSS3