PowerDNS Security Advisory 2020-04: Access restriction bypass CVE: CVE-2020-14196 Date: July 1st 2020 Affects: PowerDNS Recursor up to and including 4.3.1, 4.2.2 and 4.1.16 Not affected: 4.3.2, 4.2.3, 4.1.17 Severity: Low Impact Access restriction bypass Exploit This problem can be triggered by sending HTTP queries Risk of system compromise No Solution Upgrade to a non-affected version Workaround Disable the webserver, set a password or an API key. Additionally, restrict the binding address using the webserver-address setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address. Details An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.