Impact
The Recursor mistakenly stores ECS zero scoped answers in its packet cache, leading to potential leakage of sensitive data to clients that query the DNS server. The flaw results in a confidentiality breach, constituting a CWE‑524 weakness where sensitive data is stored in a cache that should not be. This caching flaw can expose various records to unauthorized parties.
Affected Systems
PowerDNS:Recursor is affected. All installations with ECS enabled are potentially vulnerable, as no specific version details are provided.
Risk and Exploitability
The CVSS score of 5.3 places the issue in a moderate range. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA KEV catalog. Attack vectors are likely through legitimate DNS queries from clients to the Recursor when ECS is enabled, allowing the attacker to obtain cached answers that were not meant for public dissemination.
OpenCVE Enrichment
Debian DSA