Allocation of Resources Without Limits or Throttling
CVE-2024-1975
Summary
In bind 9, if a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This vulnerability affects bind9 package version 9.0.0a1 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, and 9.19.0 through 9.19.24. This vulnerability also affects bind9 stable release versions 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References
Advisory Timeline
- Published