{"id":"CVE-2020-8616","details":"A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.","modified":"2026-04-16T04:34:54.152648610Z","published":"2020-05-19T14:15:11.877Z","related":["CGA-6cf9-v4fv-gmpq","SUSE-SU-2020:1350-1","SUSE-SU-2020:14400-1","SUSE-SU-2020:1914-1","SUSE-SU-2020:2914-1","openSUSE-SU-2020:1699-1","openSUSE-SU-2020:1701-1","openSUSE-SU-2024:10650-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/"},{"type":"WEB","url":"https://usn.ubuntu.com/4365-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4365-2/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4689"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200522-0002/"},{"type":"ADVISORY","url":"https://www.synology.com/security/advisory/Synology_SA_20_12"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2020/05/19/4"},{"type":"FIX","url":"https://kb.isc.org/docs/cve-2020-8616"},{"type":"EVIDENCE","url":"http://www.nxnsattack.com"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.isc.org/isc-projects/bind9","events":[{"introduced":"19d6c56085e97cf4ac559cdc27edd624127bcb32"},{"last_affected":"bc6c00f15aab336c7467e3fbad977ce05cdf398e"},{"introduced":"71a40862c0be867999867cd99e21c2266a5e452b"},{"last_affected":"a953e08740c2d76cd69e3e9515e14544fa3a1dda"},{"introduced":"29b3a7d84240a51099490c0f39ae537f4e0d6a7a"},{"last_affected":"6491691ac4bec0dc59e3eeba2797d65527f3bcd6"},{"introduced":"d1e053ed8dff25af8af241cf5ee2c83bd41a25ad"},{"last_affected":"098f68799b79aa0c53dc60bf3759347c87a8ba25"},{"introduced":"031bca512d4788356de4cce6f3e61e6b1a878f9c"},{"last_affected":"fa2f16db89ddfb54c4a0e10d103a521e2fda2e0b"},{"introduced":"6270e602ea52209243475c4f1edbabe084e148f7"},{"last_affected":"b310dc7f5ec5458c5b831be99cdbac03e33be4a6"},{"introduced":"04ca7cc4b6993f47ea61852c759d047c83be7b3f"},{"last_affected":"deb57872b630b9957662cf443e1e0001ab0e7b73"},{"introduced":"0"},{"last_affected":"28e45cd00e2e1e621a2e97ba1ee6bdc6a4102e16"},{"introduced":"0"},{"last_affected":"1c59cea1c0e26e2da3f2afb90200bfe9f7748c03"},{"introduced":"0"},{"last_affected":"341e64a2de908ceec50ed46d243bf3402342735c"},{"introduced":"0"},{"last_affected":"fe1302d54424009769409e46c0d50c0bcccd1d31"},{"introduced":"0"},{"last_affected":"617639b7cc40ba9eb6fde2d98099726d50da812e"},{"introduced":"0"},{"last_affected":"eba38b89007f65bc6c1fdd2451034bbe3908b9a4"},{"introduced":"0"},{"last_affected":"19d6c56085e97cf4ac559cdc27edd624127bcb32"}],"database_specific":{"versions":[{"introduced":"9.0.0"},{"last_affected":"9.11.18"},{"introduced":"9.12.0"},{"last_affected":"9.12.4"},{"introduced":"9.13.0"},{"last_affected":"9.13.7"},{"introduced":"9.14.0"},{"last_affected":"9.14.11"},{"introduced":"9.15.0"},{"last_affected":"9.15.6"},{"introduced":"9.16.0"},{"last_affected":"9.16.2"},{"introduced":"9.17.0"},{"last_affected":"9.17.1"},{"introduced":"0"},{"last_affected":"9.12.4-p1"},{"introduced":"0"},{"last_affected":"9.9.3-s1"},{"introduced":"0"},{"last_affected":"9.10.5-s1"},{"introduced":"0"},{"last_affected":"9.10.7-s1"},{"introduced":"0"},{"last_affected":"9.11.3-s1"},{"introduced":"0"},{"last_affected":"9.11.6-s1"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["v9.0.0","v9.10.0a1","v9.10.0a2","v9.10.0b1","v9.10.0b2","v9.10.0rc1","v9.10.0rc2","v9.10.1","v9.10.1b1","v9.10.1b2","v9.10.1rc1","v9.10.1rc2","v9.10.2","v9.10.2b1","v9.10.2rc1","v9.10.2rc2","v9.10.3","v9.10.3b1","v9.10.3rc1","v9.10.4","v9.10.4b1","v9.10.4b2","v9.10.4b3","v9.10.4rc1","v9.10.5","v9.10.5b1","v9.10.5rc1","v9.10.5rc2","v9.10.5rc3","v9.10.6b1","v9.10.6rc1","v9.10.7b1","v9.11.0","v9.11.0a1","v9.11.0a2","v9.11.0a3","v9.11.0b1","v9.11.0b2","v9.11.0b3","v9.11.0rc1","v9.11.0rc2","v9.11.0rc3","v9.11.1","v9.11.11","v9.11.14","v9.11.16","v9.11.18","v9.11.1b1","v9.11.1rc1","v9.11.1rc2","v9.11.1rc3","v9.11.2b1","v9.11.2rc1","v9.11.3b1","v9.11.3rc1","v9.11.4","v9.11.4rc2","v9.11.6","v9.11.6-P1","v9.11.6rc1","v9.11.7","v9.11.9","v9.12.0a1","v9.12.0b1","v9.12.0b2","v9.12.0rc1","v9.12.1b1","v9.12.1rc1","v9.12.2","v9.12.2rc2","v9.12.4","v9.12.4-P1","v9.12.4rc1","v9.13.0","v9.13.2","v9.13.3","v9.13.4","v9.13.5","v9.13.6","v9.13.7","v9.14.0rc1","v9.14.11","v9.14.2","v9.14.4","v9.14.6","v9.14.9","v9.15.0","v9.15.2","v9.15.3","v9.15.4","v9.15.6","v9.15.7","v9.15.8","v9.16.0","v9.16.2","v9.17.1","v9.5.0a1","v9.5.0a2","v9.5.0a3","v9.5.0a4","v9.5.0a5","v9.5.0a6","v9.7.0a1","v9.9.0","v9.9.0rc3","v9.9.0rc4","v9.9.1","v9.9.2b1","v9.9.2rc1","v9.9.3b1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8616.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.12.4-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.5-s3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.5-s5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.7-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.8-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}]}