CVE-2020-8619

EUVD-2020-29467

17.06.2020, 22:15

In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
isc	CNA	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Affected Products (NVD)

Vendor	Product	Version
isc	bind	9.11.14 ≤ 𝑥 ≤ 9.11.19
isc	bind	9.11.14-s1 ≤ 𝑥 ≤ 9.11.19-s1
isc	bind	9.14.9 ≤ 𝑥 ≤ 9.14.12
isc	bind	9.16.0 ≤ 𝑥 ≤ 9.16.3
opensuse	leap	15.1
opensuse	leap	15.2
debian	debian_linux	10.0
canonical	ubuntu_linux	20.04
netapp	steelstore_cloud_integrated_storage	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

bind9

bookworm	1:9.18.28-1~deb12u2 fixed
bookworm (security)	1:9.18.28-1~deb12u2 fixed
bullseye	1:9.16.50-1~deb11u2 fixed
bullseye (security)	1:9.16.50-1~deb11u1 fixed
jessie	not-affected
sid	1:9.20.2-1 fixed
stretch	not-affected
trixie	1:9.20.2-1 fixed