CVE-2017-15093 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-15093 Interim 1 9 2023-12-08T01:20:43Z current 2021-05-30T14:02:50Z 2023-12-08T01:20:43Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-15093 When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed pdns-recursor-4.5.5-1.3 pdns-recursor-4.5.5-1.3 as a component of openSUSE Tumbleweed When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration. CVE-2017-15093 openSUSE Tumbleweed:pdns-recursor-4.5.5-1.3 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N