CVE-2017-15091

CVE-2017-15091 is a high-severity vulnerability in Powerdns Authoritative with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-358.

Key facts

Description

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

Frequently asked questions

What is CVE-2017-15091?
An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.
How severe is CVE-2017-15091?
CVE-2017-15091 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability high.
Is CVE-2017-15091 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (66th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2017-15091?
CVE-2017-15091 affects Powerdns Authoritative. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2017-15091?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
When was CVE-2017-15091 published?
CVE-2017-15091 was published on 2018-01-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Powerdns Authoritative

All CVEs affecting Powerdns Authoritative →

Other CWE-358 vulnerabilities

Browse all CWE-358 vulnerabilities →