VDB
DEBIAN-CVE-2023-50868
DEBIAN-CVE-2023-50868
PUBLISHED
CVSS 7.5 HIGH
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | dnsjava | 3.6.3-1, 0, 2.1.8-2 |
| Debian:14 | bind9 | 0, 0, 0 |
| Debian:11 | dnsmasq | 2.85-1, 0, 0 |
| Debian:14 | dnsjava | 0, 0, 0 |
| Debian:12 | unbound | 0, *, * |
| Debian:12 | knot-resolver | 0, 5.6.0-1, 0 |
| Debian:11 | dnsjava | 3.6.3-1, 3.6.2-2, 3.6.2-1 |
| Debian:13 | dnsmasq | 0, 0, 0 |
| Debian:13 | unbound | 0, 0, 0 |
| Debian:11 | knot-resolver | 6.0.9-1, 5.3.1-1, 5.3.1-1+deb11u1 |
| Debian:14 | unbound | 0, 0, 0 |
| Debian:11 | pdns-recursor | 4.7.3-1, 4.7.4-1, 4.8.0-1 |
| Debian:11 | bind9 | 9.16.33-1, 1:9.16.33-1~deb11u1, 1:9.16.27-1~deb11u1~bpo10+1 |
| Debian:13 | bind9 | 0, 0, 0 |
| Debian:14 | pdns-recursor | 0, 0, 0 |
| Debian:12 | bind9 | 1:9.18.19-1~deb12u1, 1:9.18.13-1, 1:9.18.12-1 |
| Debian:13 | knot-resolver | 0, 0, 0 |
| Debian:11 | unbound | 1.13.1-1, 0, 1.13.1-1 |
| Debian:14 | knot-resolver | 0, 0, 0 |
| Debian:13 | dnsjava | 0, 0, 0 |
…and 8 more
Timeline
- Feb 14, 2024 CVE Published
- Apr 28, 2026 CVE Updated