CVE-2018-20994

High

An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust. There is infinite recursion because DNS message…

mitre·CWE-674·Published 2019-08-26

CVSS

7.5

EPSS

0.01

KEV

Exploits

cve.orgen

158 chars

An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust. There is infinite recursion because DNS message compression is mishandled.

NVDen

158 chars

An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust. There is infinite recursion because DNS message compression is mishandled.

There's a stack overflow leading to a crash when Trust-DNS's parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression (RFC1035 section 4.1.4). The parser could be tricked into infinite loop when a compression offset pointed back to the same domain name to be parsed. This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software. The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release.

GHSAen

482 chars

NVDes

212 chars

Se descubrió un problema en el paquete (crate) trust-dns-proto versiones anteriores a 0.5.0-alpha.3 para Rust. Se presenta una recursión infinita porque la compresión de mensajes DNS es manejada inapropiadamente.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
3.0	Primary	NVD	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H