{"id":"CVE-2018-5738","details":"Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the \"allow-recursion\" setting, it SHOULD default to one of the following: none, if \"recursion no;\" is set in named.conf; a value inherited from the \"allow-query-cache\" or \"allow-query\" settings IF \"recursion yes;\" (the default for that setting) AND match lists are explicitly set for \"allow-query-cache\" or \"allow-query\" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of \"allow-recursion {localhost; localnets;};\" if \"recursion yes;\" is in effect and no values are explicitly set for \"allow-query-cache\" or \"allow-query\". However, because of the regression introduced by change #4777, it is possible when \"recursion yes;\" is in effect and no match list values are provided for \"allow-query-cache\" or \"allow-query\" for the setting of \"allow-recursion\" to inherit a setting of all hosts from the \"allow-query\" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0-\u003e9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.","modified":"2026-04-10T04:10:58.707692Z","published":"2019-01-16T20:29:00.907Z","related":["CGA-gxp4-7h2r-hgp5"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190830-0002/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3683-1/"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041115"},{"type":"ADVISORY","url":"https://kb.isc.org/docs/aa-01616"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201903-13"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.isc.org/isc-projects/bind9","events":[{"introduced":"0"},{"last_affected":"4eb49c48823a2abbe0b3784305906cce5f520a4c"},{"introduced":"0"},{"last_affected":"470cee7071b278e016ae94cd403dbc13689d3444"},{"introduced":"0"},{"last_affected":"db65d701b999d10e555c13454bceb74df4494975"},{"introduced":"0"},{"last_affected":"fe1302d54424009769409e46c0d50c0bcccd1d31"},{"introduced":"0"},{"last_affected":"a37581543167cd471036b0d43e767c9ffb825625"},{"introduced":"0"},{"last_affected":"617639b7cc40ba9eb6fde2d98099726d50da812e"},{"introduced":"0"},{"last_affected":"71a40862c0be867999867cd99e21c2266a5e452b"},{"introduced":"0"},{"last_affected":"08a3dedda1254acbbc7ebbfee33915d27efaa902"},{"introduced":"0"},{"last_affected":"08a3dedda1254acbbc7ebbfee33915d27efaa902"},{"introduced":"0"},{"last_affected":"5b1e929b8b07586a24d32dc0d7590bc25dacf754"},{"introduced":"0"},{"last_affected":"f9c3aba9b3070603bd8582399646480ec6bc5912"},{"introduced":"0"},{"last_affected":"4bb22b64006b4b0d248b918005359b055a03ac46"},{"introduced":"0"},{"last_affected":"b2307b25465c16d37ff6de22438a2d214287417c"},{"introduced":"0"},{"last_affected":"ed829a6ba4ff56d4eb82074e0498736fa9d68f8c"},{"introduced":"0"},{"last_affected":"14b0e01fee2e288e01eef3dd88f3212030ad3c42"},{"introduced":"0"},{"last_affected":"29b3a7d84240a51099490c0f39ae537f4e0d6a7a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.9.12"},{"introduced":"0"},{"last_affected":"9.9.12-s1"},{"introduced":"0"},{"last_affected":"9.10.7"},{"introduced":"0"},{"last_affected":"9.10.7-s1"},{"introduced":"0"},{"last_affected":"9.11.3"},{"introduced":"0"},{"last_affected":"9.11.3-s1"},{"introduced":"0"},{"last_affected":"9.12.0"},{"introduced":"0"},{"last_affected":"9.12.0-a1"},{"introduced":"0"},{"last_affected":"9.12.0-b1"},{"introduced":"0"},{"last_affected":"9.12.0-b2"},{"introduced":"0"},{"last_affected":"9.12.0-rc1"},{"introduced":"0"},{"last_affected":"9.12.0-rc3"},{"introduced":"0"},{"last_affected":"9.12.1"},{"introduced":"0"},{"last_affected":"9.12.1-p1"},{"introduced":"0"},{"last_affected":"9.12.1-p2"},{"introduced":"0"},{"last_affected":"9.13.0"}]}}],"versions":["v9.10.0a1","v9.10.0a2","v9.10.0b1","v9.10.0b2","v9.10.0rc1","v9.10.0rc2","v9.10.1","v9.10.1b1","v9.10.1b2","v9.10.1rc1","v9.10.1rc2","v9.10.2","v9.10.2b1","v9.10.2rc1","v9.10.2rc2","v9.10.3","v9.10.3b1","v9.10.3rc1","v9.10.4","v9.10.4b1","v9.10.4b2","v9.10.4b3","v9.10.4rc1","v9.10.5","v9.10.5b1","v9.10.5rc1","v9.10.5rc2","v9.10.5rc3","v9.10.6b1","v9.10.6rc1","v9.10.7","v9.10.7b1","v9.10.7rc1","v9.11.0","v9.11.0a1","v9.11.0a2","v9.11.0a3","v9.11.0b1","v9.11.0b2","v9.11.0b3","v9.11.0rc1","v9.11.0rc2","v9.11.0rc3","v9.11.1","v9.11.1b1","v9.11.1rc1","v9.11.1rc2","v9.11.1rc3","v9.11.2b1","v9.11.2rc1","v9.11.3","v9.11.3b1","v9.11.3rc1","v9.12.0","v9.12.0a1","v9.12.0b1","v9.12.0b2","v9.12.0rc1","v9.12.0rc2","v9.12.0rc3","v9.12.1","v9.12.1-P2","v9.12.1b1","v9.12.1rc1","v9.13.0","v9.5.0a1","v9.5.0a2","v9.5.0a3","v9.5.0a4","v9.5.0a5","v9.5.0a6","v9.7.0a1","v9.9.0","v9.9.0rc3","v9.9.0rc4","v9.9.1","v9.9.10","v9.9.10b1","v9.9.10rc1","v9.9.10rc2","v9.9.10rc3","v9.9.11b1","v9.9.11rc1","v9.9.12","v9.9.12b1","v9.9.12rc1","v9.9.2b1","v9.9.2rc1","v9.9.3","v9.9.3b1","v9.9.3b2","v9.9.3rc1","v9.9.3rc2","v9.9.4","v9.9.4b1","v9.9.4rc2","v9.9.5","v9.9.5b1","v9.9.5rc1","v9.9.5rc2","v9.9.6","v9.9.6b1","v9.9.6b2","v9.9.6rc1","v9.9.6rc2","v9.9.7","v9.9.7b1","v9.9.7rc1","v9.9.7rc2","v9.9.8","v9.9.8b1","v9.9.8rc1","v9.9.9","v9.9.9b1","v9.9.9b2","v9.9.9rc1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.11.3-s2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-5738.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}