{"id":"ALPINE-CVE-2020-28935","details":"NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.","modified":"2025-12-03T22:49:37.896966Z","published":"2020-12-07T22:15:20.853Z","upstream":["CVE-2020-28935"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2020-28935"}],"affected":[{"package":{"name":"nsd","ecosystem":"Alpine:v3.12","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.13","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.14","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.15","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.16","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.17","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.18","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}},{"package":{"name":"nsd","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/nsd?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.4-r0"}]}],"versions":["3.2.10-r0","3.2.12-r0","3.2.13-r0","3.2.14-r0","3.2.15-r0","3.2.16-r0","3.2.16-r1","3.2.16-r2","3.2.7-r0","3.2.7-r1","3.2.8-r0","3.2.9-r0","4.0.0-r0","4.0.0-r1","4.0.1-r0","4.0.1-r1","4.0.2-r0","4.0.3-r0","4.0.3-r1","4.1.0-r0","4.1.1-r0","4.1.1-r1","4.1.10-r1","4.1.11-r0","4.1.13-r0","4.1.13-r1","4.1.14-r0","4.1.14-r1","4.1.15-r0","4.1.15-r1","4.1.15-r2","4.1.16-r0","4.1.16-r1","4.1.19-r0","4.1.2-r0","4.1.20-r0","4.1.20-r1","4.1.21-r0","4.1.22-r0","4.1.23-r0","4.1.24-r0","4.1.24-r1","4.1.26-r0","4.1.27-r0","4.1.3-r0","4.1.4-r0","4.1.6-r0","4.1.7-r0","4.1.7-r1","4.1.8-r0","4.1.9-r0","4.1.9-r1","4.2.0-r0","4.2.1-r0","4.2.2-r0","4.2.2-r1","4.2.3-r0","4.2.3-r1","4.2.3-r2","4.2.3-r3","4.2.3-r4","4.2.4-r0","4.2.4-r1","4.3.0-r0","4.3.1-r0","4.3.2-r0","4.3.3-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2020-28935.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}