CVE-2023-7008
CVE-2023-7008 is a medium-severity vulnerability in Systemd Project Systemd with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-300.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 1% (54th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-300
- Affected product: Systemd Project Systemd
- Published:
- Last modified:
Description
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
Frequently asked questions
- What is CVE-2023-7008?
- A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
- How severe is CVE-2023-7008?
- CVE-2023-7008 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2023-7008 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (54th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-7008?
- CVE-2023-7008 affects Systemd Project Systemd. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-7008?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-7008 published?
- CVE-2023-7008 was published on 2023-12-23 and last updated on 2026-06-17.
References
- https://access.redhat.com/errata/RHSA-2024:2463
- https://access.redhat.com/errata/RHSA-2024:3203
- https://access.redhat.com/security/cve/CVE-2023-7008
- https://bugzilla.redhat.com/show_bug.cgi?id=2222261
- https://bugzilla.redhat.com/show_bug.cgi?id=2222672
- https://github.com/systemd/systemd/issues/25676
- https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/
- https://security.netapp.com/advisory/ntap-20241122-0004/
Affected products (1)
- cpe:2.3:a:systemd_project:systemd:25:*:*:*:*:*:*:*
More vulnerabilities in Systemd Project Systemd
- CVE-2022-2526 — Critical (CVSS 9.8): A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and…
- CVE-2018-21029 — Critical (CVSS 9.8): systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name…
- CVE-2015-7510 — Critical (CVSS 9.8): Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.
- CVE-2017-1000082 — Critical (CVSS 9.8): systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the…
- CVE-2018-15688 — High (CVSS 8.8): A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory…
- CVE-2023-26604 — High (CVSS 7.8): systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible…
All CVEs affecting Systemd Project Systemd →
Other CWE-300 vulnerabilities
- CVE-2023-31004 — High (CVSS 8.3): IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security…
- CVE-2024-31206 — High (CVSS 8.2): dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `[email protected]`, network requests to…
- CVE-2025-31214 — High (CVSS 8.1): This issue was addressed through improved state management. This issue is fixed in iOS 18.5 and iPadOS 18.5. An…
- CVE-2024-36553 — High (CVSS 8.1): Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack.
- CVE-2021-21953 — High (CVSS 8.1): An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy…
- CVE-2021-41033 — High (CVSS 8.1): In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be…