CVE-2014-8602

iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
nlnetlabsunbound
𝑥
≤ 1.5.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
14.10
debiandebian_linux
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
unbound
bullseye
1.13.1-1+deb11u2
fixed
bullseye (security)
1.13.1-1+deb11u3
fixed
bookworm
1.17.1-2+deb12u2
fixed
bookworm (security)
1.17.1-2+deb12u2
fixed
sid
1.22.0-1
fixed
trixie
1.22.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
unbound
zesty
Fixed 1.4.22-1ubuntu5
released
yakkety
Fixed 1.4.22-1ubuntu5
released
xenial
Fixed 1.4.22-1ubuntu5
released
wily
Fixed 1.4.22-1ubuntu5
released
vivid
Fixed 1.4.22-1ubuntu5
released
utopic
Fixed 1.4.22-1ubuntu4.14.10.1
released
trusty
Fixed 1.4.22-1ubuntu4.14.04.1
released
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html
http://unbound.net/downloads/patch_cve_2014_8602.diff
http://www.debian.org/security/2014/dsa-3097
http://www.kb.cert.org/vuls/id/264212
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/71589
http://www.ubuntu.com/usn/USN-2484-1
https://unbound.net/downloads/CVE-2014-8602.txt
http://cert.ssi.gouv.fr/site/CERTFR-2014-AVI-512/index.html
http://unbound.net/downloads/patch_cve_2014_8602.diff
http://www.debian.org/security/2014/dsa-3097
http://www.kb.cert.org/vuls/id/264212
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/71589
http://www.ubuntu.com/usn/USN-2484-1
https://unbound.net/downloads/CVE-2014-8602.txt