| CARVIEW |
Select Language
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 17106
last-modified: Mon, 26 May 2025 12:58:34 GMT
x-amz-server-side-encryption: AES256
x-amz-meta-mtime: 1748264165
x-amz-version-id: 0ybdOp1.0JJCaw6OmNXez_qBX65kE6y0
accept-ranges: bytes
server: AmazonS3
date: Sun, 03 Aug 2025 11:11:00 GMT
etag: "cdd92a3c6a3de989a07f71aef7a646b0"
x-cache: RefreshHit from cloudfront
via: 1.1 d3d6c93444f7baa05d8204eb2c6d2194.cloudfront.net (CloudFront)
x-amz-cf-pop: SOF50-C1
x-amz-cf-id: RVbxW9zbgSmgYexPgm0km4PhMPx9tG313W0bmQQC5iPV0EZbCoAPNg==
PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records — PowerDNS Authoritative Server documentation
Navigation
PowerDNS Authoritative Server
Previous topic
PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
Next topic
PowerDNS Security Advisory 2020-06: Various issues in our GSS-TSIG support
Contents
- PowerDNS Authoritative Nameserver
- Installing PowerDNS
- Upgrade Notes
- DNS Modes of Operation
- Migrating to PowerDNS
- Running and Operating
- Security of PowerDNS
- Performance and Tuning
- DNSSEC
- Per zone settings: Domain Metadata
- Dynamic DNS Update (RFC 2136)
- Catalog Zones (RFC 9432)
- TSIG
- Views
- Lua Records
- Guides and How Tos
- Backends
- Built-in Webserver and HTTP API
- Manual Pages
- Authoritative Server Settings
- Security Advisories
- PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
- PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server
- PowerDNS Security Advisory 2020-06: Various issues in our GSS-TSIG support
- PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records
- PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
- PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packets
- PowerDNS Security Advisory 2019-04: Denial of service via crafted zone records
- PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend
- PowerDNS Security Advisory 2018-05: Packet cache pollution via crafted query
- PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service
- PowerDNS Security Advisory 2018-02: Buffer overflow in dnsreplay
- PowerDNS Security Advisory 2017-04: Missing check on API operations
- PowerDNS Security Advisory 2016-05: Crafted zone record can cause a denial of service
- PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
- PowerDNS Security Advisory 2016-03: Denial of service via the web server
- PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
- PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load
- PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes
- PowerDNS Security Advisory 2015-02: Packet parsing bug can cause thread or process abortion
- PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
- PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop
- PowerDNS Security Advisory 2008-03: Some PowerDNS Configurations can be forced to restart remotely
- PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof
- Older security advisories
- Changelogs
- End of life statements
- Frequently Asked Questions
- Backend writers’ guide
- Compiling PowerDNS
- Cryptographic software and export control
- Internals
- Supported Record Types
- PowerDNS/dnsdist license
This Page
- Docs
- Security Advisories
- PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records
PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records¶
- CVE: CVE-2020-17482
- Date: September 22nd, 2020
- Affects: PowerDNS Authoritative 4.3.0 and earlier
- Not affected: 4.3.1 and up, 4.2.3 and up, 4.1.14 and up
- Severity: Low
- Impact: Information leak
- Exploit: This problem can be triggered via crafted records by an authorized user
- Risk of system compromise: Low
- Solution: Upgrade to a fixed version
- Workaround: Do not take zone data from untrusted users
An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR.
This issue has been assigned CVE-2020-17482.
PowerDNS Authoritative up to and including version 4.3.0 are affected. Please note that at the time of writing, PowerDNS Authoritative 4.0 and below are no longer supported, as described in https://doc.powerdns.com/authoritative/appendices/EOL.html.
We would like to thank Nathaniel Ferguson for finding and subsequently reporting this issue!
Navigation
© Copyright PowerDNS.COM BV. Created using Sphinx.