{"id":"CVE-2016-7074","details":"An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature.","modified":"2026-03-14T14:21:12.153908Z","published":"2018-09-11T13:29:01.167Z","related":["MGASA-2017-0033"],"references":[{"type":"ADVISORY","url":"https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-3764"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7074"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/powerdns/pdns","events":[{"introduced":"0"},{"fixed":"06ede1f2c905091585c1adfc4eb9208e256fcb3b"},{"introduced":"ba64cecd417688dc39c75e92f1a23b91f7f46d64"},{"fixed":"9d7fd146ebfcb2aa657ff34dab0f116f824ba77a"},{"introduced":"0"},{"fixed":"9388f1be79e49a1def301dad55512d50637b4982"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.4.11"},{"introduced":"4.0.0"},{"fixed":"4.0.2"},{"introduced":"0"},{"fixed":"4.0.4"}]}}],"versions":["auth-4.0.0","auth-4.0.1","rec-4.0.0","rec-4.0.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7074.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}