Lucene search

GitHub Advisory DatabaseGHSA-3RQ5-2G8H-59HC

HistoryApr 11, 2024 - 3:30 p.m.

Potential DoS via the Tudoor mechanism in eventlet and dnspython

2024-04-1115:30:48

CWE-696

GitHub Advisory Database

github.com

dos

tudoor mechanism

eventlet

dnspython

remote attackers

dns name resolution

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a “TuDoor” attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Affected configurations

Vulners

Node

dnspythonRange<2.6.1

eventleteventletRange<0.35.2

CPENameOperatorVersion
dnspythonlt2.6.1
eventletlt0.35.2

CPE	Name	Operator	Version
	dnspython	lt	2.6.1
	eventlet	lt	0.35.2

References

github.com/advisories/GHSA-3rq5-2g8h-59hc

github.com/eventlet/eventlet/commit/51e3c4928d4938beb576eff34f3bf97e6e64e6b4

github.com/eventlet/eventlet/issues/913

github.com/eventlet/eventlet/releases/tag/v0.35.2

github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2

github.com/rthalley/dnspython/issues/1045

github.com/rthalley/dnspython/releases/tag/v2.6.0

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH

nvd.nist.gov/vuln/detail/CVE-2023-29483

security.netapp.com/advisory/ntap-20240510-0001

security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713

www.dnspython.org