CVE-2015-8899 - Vulnerability Details - OpenCVE

Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Thekelleys	Dnsmasq

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

Configuration 2 [-]

cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
http://www.openwall.com/lists/oss-security/2016/06/03/7
http://www.openwall.com/lists/oss-security/2016/06/04/2
http://www.securityfocus.com/bid/91031
http://www.securitytracker.com/id/1036045
http://www.ubuntu.com/usn/USN-3009-1
https://nvd.nist.gov/vuln/detail/CVE-2015-8899
https://www.cve.org/CVERecord?id=CVE-2015-8899

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2016-06-30T17:00:00

Updated: 2024-08-06T08:29:22.024Z

Reserved: 2016-06-03T00:00:00

Link: CVE-2015-8899

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-06-30T17:59:00.157

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-8899

Redhat

Severity : Low

Publid Date: 2015-11-14T00:00:00Z

Links: CVE-2015-8899 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-04-18T00:00:00", "descriptions": [{"lang": "en", "value": "Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"name": "91031", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/91031"}, {"name": "[Dnsmasq-discuss] 20160418 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"}, {"name": "USN-3009-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3009-1"}, {"name": "[Dnsmasq-discuss] 20160503 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html"}, {"name": "[oss-security] 20160603 Re: CVE Request: Dnsmasq denial of service", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/06/04/2"}, {"name": "1036045", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036045"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87"}, {"name": "[oss-security] 20160603 CVE Request: Dnsmasq denial of service", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/06/03/7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "ID": "CVE-2015-8899", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "91031", "refsource": "BID", "url": "http://www.securityfocus.com/bid/91031"}, {"name": "[Dnsmasq-discuss] 20160418 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "refsource": "MLIST", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"}, {"name": "USN-3009-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3009-1"}, {"name": "[Dnsmasq-discuss] 20160503 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "refsource": "MLIST", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html"}, {"name": "[oss-security] 20160603 Re: CVE Request: Dnsmasq denial of service", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/06/04/2"}, {"name": "1036045", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036045"}, {"name": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87", "refsource": "CONFIRM", "url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87"}, {"name": "[oss-security] 20160603 CVE Request: Dnsmasq denial of service", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/06/03/7"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:29:22.024Z"}, "title": "CVE Program Container", "references": [{"name": "91031", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/91031"}, {"name": "[Dnsmasq-discuss] 20160418 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"}, {"name": "USN-3009-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-3009-1"}, {"name": "[Dnsmasq-discuss] 20160503 Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html"}, {"name": "[oss-security] 20160603 Re: CVE Request: Dnsmasq denial of service", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/06/04/2"}, {"name": "1036045", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1036045"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87"}, {"name": "[oss-security] 20160603 CVE Request: Dnsmasq denial of service", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/06/03/7"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2015-8899", "datePublished": "2016-06-30T17:00:00", "dateReserved": "2016-06-03T00:00:00", "dateUpdated": "2024-08-06T08:29:22.024Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*", "matchCriteriaId": "B705C85C-B580-43B5-AAAA-CBA10885BB22", "versionEndIncluding": "2.75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally."}, {"lang": "es", "value": "Dnsmasq en versiones anteriores a 2.76 permite a servidores remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de una respuesta con una direcci\u00f3n DNS vac\u00eda que tiene una grabaci\u00f3n (1) A o (2) AAAA definida localmente."}], "id": "CVE-2015-8899", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-30T17:59:00.157", "references": [{"source": "security@ubuntu.com", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"}, {"source": "security@ubuntu.com", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html"}, {"source": "security@ubuntu.com", "url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87"}, {"source": "security@ubuntu.com", "url": "http://www.openwall.com/lists/oss-security/2016/06/03/7"}, {"source": "security@ubuntu.com", "url": "http://www.openwall.com/lists/oss-security/2016/06/04/2"}, {"source": "security@ubuntu.com", "url": "http://www.securityfocus.com/bid/91031"}, {"source": "security@ubuntu.com", "url": "http://www.securitytracker.com/id/1036045"}, {"source": "security@ubuntu.com", "url": "http://www.ubuntu.com/usn/USN-3009-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2016/06/03/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2016/06/04/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/91031"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1036045"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-3009-1"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}