CVE-2024-25638
8.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Summary
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| dnsjava | dnsjava | < 3.6.0 | affected |
Weaknesses
- CWE-345: CWE-345: Insufficient Verification of Data Authenticity
- CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
- https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d
References
- https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
- https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.