An issue has been found in the API component of PowerDNS Authoritative, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY. This issue has been assigned CVE-2017-15091. PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected. References: https://bugs.gentoo.org/638566 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15091 https://github.com/PowerDNS/pdns/pull/5996/commits/245a2c8211db2f6c5771f93671e4eb80d4e0a0c7
Created pdns tracking bugs for this issue: Affects: fedora-all [bug 1523486]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.