Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-wx5x-pkdb-sbgt

Summary

DNSJava DNSSEC Bypass
### Summary

Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.

### Details

DNS Messages are not authenticated. They do not guarantee that

- received RRs are authentic
- not received RRs do not exist
- all or any received records in a response relate to the request

Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.
To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)

1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases
2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well)
3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's target and go to 2.
4. Verify that `QNAME` does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return `null`.

Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.

dnsjava does not implement a comparable algorithm, and the provided APIs instead return either

- the received DNS message itself (e.g. when using a ValidatingResolver such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#dnssec-resolver) example), or
- essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#simple-lookup-with-a-resolver) example)

If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can

- In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or
- completely exchange the relevant response records

### Impact

DNS(SEC) libraries are usually used as part of a larger security framework.
Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.
Here are three concrete examples of where this might be detrimental:

- [RFC 6186](https://datatracker.ietf.org/doc/html/rfc6186) specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials.
- When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic.
- Some research projects like [LIGHTest](https://www.lightest.eu/) are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications.

### Mitigations

At this point, the following mitigations are recommended:

- When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...).
- For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. `LookupSession.lookupAsync`.
- Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.

Aliases

alias	CVE-2024-25638

alias	GHSA-cfxw-4h78-h7fw

Fixed_packages

url	pkg:deb/debian/dnsjava@3.6.2-1?distro=trixie
purl	pkg:deb/debian/dnsjava@3.6.2-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@3.6.2-1%3Fdistro=trixie

url	pkg:deb/debian/dnsjava@3.6.2-2
purl	pkg:deb/debian/dnsjava@3.6.2-2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@3.6.2-2

url	pkg:deb/debian/dnsjava@3.6.2-2?distro=trixie
purl	pkg:deb/debian/dnsjava@3.6.2-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@3.6.2-2%3Fdistro=trixie

url	pkg:deb/debian/dnsjava@3.6.3-1?distro=trixie
purl	pkg:deb/debian/dnsjava@3.6.3-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@3.6.3-1%3Fdistro=trixie

url	pkg:maven/dnsjava/dnsjava@3.6.0
purl	pkg:maven/dnsjava/dnsjava@3.6.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.6.0

Affected_packages

url pkg:deb/debian/dnsjava@2.1.8-2

purl pkg:deb/debian/dnsjava@2.1.8-2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-66sa-bc5p-jqde

vulnerability	VCID-vprj-j7u6-zbe7

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@2.1.8-2

url pkg:deb/debian/dnsjava@2.1.8-2?distro=trixie

purl pkg:deb/debian/dnsjava@2.1.8-2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-66sa-bc5p-jqde

vulnerability	VCID-vprj-j7u6-zbe7

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsjava@2.1.8-2%3Fdistro=trixie

url pkg:maven/dnsjava/dnsjava@1.2.3

purl pkg:maven/dnsjava/dnsjava@1.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@1.2.3

url pkg:maven/dnsjava/dnsjava@1.3.2

purl pkg:maven/dnsjava/dnsjava@1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@1.3.2

url pkg:maven/dnsjava/dnsjava@2.0.1

purl pkg:maven/dnsjava/dnsjava@2.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.0.1

url pkg:maven/dnsjava/dnsjava@2.0.6

purl pkg:maven/dnsjava/dnsjava@2.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.0.6

url pkg:maven/dnsjava/dnsjava@2.0.7

purl pkg:maven/dnsjava/dnsjava@2.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.0.7

url pkg:maven/dnsjava/dnsjava@2.0.8

purl pkg:maven/dnsjava/dnsjava@2.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.0.8

url pkg:maven/dnsjava/dnsjava@2.1.0

purl pkg:maven/dnsjava/dnsjava@2.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.0

url pkg:maven/dnsjava/dnsjava@2.1.1

purl pkg:maven/dnsjava/dnsjava@2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.1

url pkg:maven/dnsjava/dnsjava@2.1.6

purl pkg:maven/dnsjava/dnsjava@2.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.6

url pkg:maven/dnsjava/dnsjava@2.1.7

purl pkg:maven/dnsjava/dnsjava@2.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.7

url pkg:maven/dnsjava/dnsjava@2.1.8

purl pkg:maven/dnsjava/dnsjava@2.1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.8

url pkg:maven/dnsjava/dnsjava@2.1.9

purl pkg:maven/dnsjava/dnsjava@2.1.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@2.1.9

url pkg:maven/dnsjava/dnsjava@3.0.0

purl pkg:maven/dnsjava/dnsjava@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.0.0

url pkg:maven/dnsjava/dnsjava@3.0.0-next.1

purl pkg:maven/dnsjava/dnsjava@3.0.0-next.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.0.0-next.1

url pkg:maven/dnsjava/dnsjava@3.0.1

purl pkg:maven/dnsjava/dnsjava@3.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.0.1

url pkg:maven/dnsjava/dnsjava@3.0.2

purl pkg:maven/dnsjava/dnsjava@3.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.0.2

url pkg:maven/dnsjava/dnsjava@3.1.0

purl pkg:maven/dnsjava/dnsjava@3.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.1.0

url pkg:maven/dnsjava/dnsjava@3.2.0

purl pkg:maven/dnsjava/dnsjava@3.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.2.0

url pkg:maven/dnsjava/dnsjava@3.2.1

purl pkg:maven/dnsjava/dnsjava@3.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.2.1

url pkg:maven/dnsjava/dnsjava@3.2.2

purl pkg:maven/dnsjava/dnsjava@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.2.2

url pkg:maven/dnsjava/dnsjava@3.3.0

purl pkg:maven/dnsjava/dnsjava@3.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.3.0

url pkg:maven/dnsjava/dnsjava@3.3.1

purl pkg:maven/dnsjava/dnsjava@3.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.3.1

url pkg:maven/dnsjava/dnsjava@3.4.0

purl pkg:maven/dnsjava/dnsjava@3.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.4.0

url pkg:maven/dnsjava/dnsjava@3.4.1

purl pkg:maven/dnsjava/dnsjava@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.4.1

url pkg:maven/dnsjava/dnsjava@3.4.2

purl pkg:maven/dnsjava/dnsjava@3.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.4.2

url pkg:maven/dnsjava/dnsjava@3.4.3

purl pkg:maven/dnsjava/dnsjava@3.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.4.3

url pkg:maven/dnsjava/dnsjava@3.5.0

purl pkg:maven/dnsjava/dnsjava@3.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-t19w-8s3x-z7gt

vulnerability	VCID-vrhz-pre9-7kdk

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.5.0

url pkg:maven/dnsjava/dnsjava@3.5.1

purl pkg:maven/dnsjava/dnsjava@3.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-t19w-8s3x-z7gt

vulnerability	VCID-vrhz-pre9-7kdk

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.5.1

url pkg:maven/dnsjava/dnsjava@3.5.2

purl pkg:maven/dnsjava/dnsjava@3.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-t19w-8s3x-z7gt

vulnerability	VCID-vrhz-pre9-7kdk

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.5.2

url pkg:maven/dnsjava/dnsjava@3.5.3

purl pkg:maven/dnsjava/dnsjava@3.5.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-t19w-8s3x-z7gt

vulnerability	VCID-vrhz-pre9-7kdk

vulnerability	VCID-wx5x-pkdb-sbgt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/dnsjava/dnsjava@3.5.3

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-25638.json

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-25638.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25638

reference_id

reference_type

scores

value	0.00188
scoring_system	epss
scoring_elements	0.40723
published_at	2026-04-16T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40678
published_at	2026-04-13T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40697
published_at	2026-04-12T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40732
published_at	2026-04-11T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40714
published_at	2026-04-09T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40658
published_at	2026-04-07T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40734
published_at	2026-04-04T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40706
published_at	2026-04-02T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40708
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25638

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25638
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25638

reference_url

https://github.com/dnsjava/dnsjava

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/dnsjava/dnsjava

reference_url

https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-22T15:32:07Z/

url

https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705

reference_url	https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d
reference_id
reference_type
scores
url	https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d

reference_url

https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-22T15:32:07Z/

url

https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25638

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25638

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077368
reference_id	1077368
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077368

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2299292
reference_id	2299292
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2299292

reference_url

https://github.com/advisories/GHSA-cfxw-4h78-h7fw

reference_id

GHSA-cfxw-4h78-h7fw

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cfxw-4h78-h7fw

Weaknesses

cwe_id	345
name	Insufficient Verification of Data Authenticity
description	The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

cwe_id	349
name	Acceptance of Extraneous Untrusted Data With Trusted Data
description	The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wx5x-pkdb-sbgt

Vulnerability Instance