VDB
DEBIAN-CVE-2023-50387
DEBIAN-CVE-2023-50387
PUBLISHED
CVSS 7.5 HIGH
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | dnsmasq | 0, 0, 0 |
| Debian:11 | dnsmasq | 2.85-1, 0, 0 |
| Debian:12 | unbound | 0, 0, 1.17.1-2+deb12u1 |
| Debian:13 | pdns-recursor | 0, 0, 0 |
| Debian:12 | dnsmasq | 2.90-1, 2.89-1, 0 |
| Debian:11 | bind9 | *, *, 9.16.44-1 |
| Debian:14 | systemd | 0, 0, 0 |
| Debian:11 | knot-resolver | 5.7.4-2, 6.0.10-1, 6.0.13-1 |
| Debian:13 | dnsjava | 0, 0, 0 |
| Debian:14 | dnsjava | 0, 0, 0 |
| Debian:13 | bind9 | 0, 0, 0 |
| Debian:12 | pdns-recursor | 4.8.4-1, 0, 4.8.4-1 |
| Debian:13 | systemd | 0, 0, 0 |
| Debian:13 | knot-resolver | 0, 0, 0 |
| Debian:14 | knot-resolver | 0, 0, 0 |
| Debian:13 | dnsmasq | 0, 0, 0 |
| Debian:12 | knot-resolver | 0, 5.6.0-1, 5.6.0-1 |
| Debian:14 | pdns-recursor | 0, 0, 0 |
| Debian:11 | systemd | 247.3-7+deb11u1, 247.3-7, 0 |
| Debian:12 | dnsjava | 2.1.8-2, 0, 3.6.3-1 |
…and 8 more
Exploit Intelligence
- In this repository you can find the files used to try to produce a POC for the CVE-2023-50387 (github-poc-repo)
- Pablodiz/CVE-2023-50387 (github-poc-repo)
- Pablodiz/CVE-2023-50387 (github-poc)
- In this repository you can find the files used to try to produce a POC for the CVE-2023-50387 (github-poc)
- KeyTrap (DNSSEC) (github-poc)
- errata73.html (github-poc)
Timeline
- Feb 14, 2024 CVE Published
- Apr 28, 2026 CVE Updated