An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-01-23T15:00:00Z

Updated: 2024-08-05T19:50:14.942Z

Reserved: 2017-10-08T00:00:00

Link: CVE-2017-15091

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-01-23T15:29:00.277

Modified: 2024-11-21T03:14:03.160

Link: CVE-2017-15091

cve-icon Redhat

No data.