CVE-2016-0747

MEDIUM severity · CVSS 5.3 · Uncontrolled resource consumption

5.3CVSS MEDIUM

Summary

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactLow

Exploit probability (EPSS)20%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products we track (3)

Nginx Ubuntu Debian

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.htmlAdvisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.htmlAdvisory
http://seclists.org/fulldisclosure/2021/Sep/36Advisory
http://www.debian.org/security/2016/dsa-3473Advisory
http://www.securitytracker.com/id/1034869Advisory
http://www.ubuntu.com/usn/USN-2892-1Advisory
https://access.redhat.com/errata/RHSA-2016:1425Advisory
https://bto.bluecoat.com/security-advisory/sa115Advisory