{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-26T00:00:00", "descriptions": [{"lang": "en", "value": "The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-21T23:07:07", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2016:0371", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bto.bluecoat.com/security-advisory/sa115"}, {"name": "GLSA-201606-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201606-06"}, {"name": "1034869", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034869"}, {"name": "[nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"}, {"name": "RHSA-2016:1425", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2016:1425"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, {"name": "DSA-3473", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3473"}, {"name": "USN-2892-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2892-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT212818"}, {"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Sep/36"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-0747", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2016:0371", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html"}, {"name": "https://bto.bluecoat.com/security-advisory/sa115", "refsource": "CONFIRM", "url": "https://bto.bluecoat.com/security-advisory/sa115"}, {"name": "GLSA-201606-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201606-06"}, {"name": "1034869", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034869"}, {"name": "[nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)", "refsource": "MLIST", "url": "http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"}, {"name": "RHSA-2016:1425", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1425"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, {"name": "DSA-3473", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3473"}, {"name": "USN-2892-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2892-1"}, {"name": "https://support.apple.com/kb/HT212818", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT212818"}, {"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Sep/36"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:30:04.106Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2016:0371", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bto.bluecoat.com/security-advisory/sa115"}, {"name": "GLSA-201606-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201606-06"}, {"name": "1034869", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034869"}, {"name": "[nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"}, {"name": "RHSA-2016:1425", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2016:1425"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, {"name": "DSA-3473", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3473"}, {"name": "USN-2892-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2892-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT212818"}, {"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2021/Sep/36"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-0747", "datePublished": "2016-02-15T19:00:00", "dateReserved": "2015-12-16T00:00:00", "dateUpdated": "2024-08-05T22:30:04.106Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB42AA9F-E2F7-471C-AAC1-953469630349", "versionEndExcluding": "1.8.1", "versionStartIncluding": "0.6.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "E90F693D-8EEF-4222-B562-67629C7C72DF", "versionEndExcluding": "1.9.10", "versionStartIncluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB279F6B-EE4C-4885-9CD4-657F6BD2548F", "versionEndExcluding": "13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution."}, {"lang": "es", "value": "El traductor de direcciones en nginx en versiones anteriores a 1.8.1 y 1.9.x en versiones anteriores a 1.9.10 no limita correctamente la resoluci\u00f3n CNAME, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos por el proceso trabajador) a trav\u00e9s de vectores relacionados con la resoluci\u00f3n de nombre arbitrario."}], "id": "CVE-2016-0747", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-02-15T19:59:02.123", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Sep/36"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3473"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1034869"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2892-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2016:1425"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://bto.bluecoat.com/security-advisory/sa115"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201606-06"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212818"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Sep/36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3473"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1034869"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2892-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2016:1425"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bto.bluecoat.com/security-advisory/sa115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201606-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212818"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nginx18-nginx-1:1.8.1-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-07-14T00:00:00Z"}, {"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nginx18-nginx-1:1.8.1-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-07-14T00:00:00Z"}, {"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nginx18-nginx-1:1.8.1-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-07-14T00:00:00Z"}, {"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nginx18-nginx-1:1.8.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-07-14T00:00:00Z"}, {"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nginx18-nginx-1:1.8.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-07-14T00:00:00Z"}, {"advisory": "RHSA-2016:1425", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nginx18-nginx-1:1.8.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-07-14T00:00:00Z"}], "bugzilla": {"description": "nginx: Insufficient limits of CNAME resolution in resolver", "id": "1302589", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302589"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified"}, "cwe": "CWE-400", "details": ["The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.", "It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration."], "name": "CVE-2016-0747", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "nginx16-nginx", "product_name": "Red Hat Software Collections"}], "public_date": "2016-01-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-0747\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0747\nhttp://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html"], "threat_severity": "Moderate"}