CVE-2023-50868
HIGH7.5EPSS 12.4%Published: 2/14/2024Modified: 12/24/2025
Also known as:ALPINE-CVE-2023-50868
Description
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Affected packages (10)
- Alpine/bindfrom 0, < 9.16.48-r0
- Alpine/dnsmasqfrom 0, < 2.90-r0
- Alpine/unboundfrom 0, < 1.19.1-r0
- Debian/bind9from 0, < 1:9.16.48-1
- Debian/dnsjavafrom 0
- Debian/dnsmasqfrom 0, < 2.85-1+deb11u1
- Debian/knot-resolverfrom 0
- Debian/pdns-recursorfrom 0
- Debian/systemdfrom 0, < 247.3-7+deb11u6
- Debian/unboundfrom 0, < 1.13.1-1+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |