Cyber Resilience

CVE-2023-29483

HighPublic PoC

Published: 11 April 2024

Published
11 April 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0839 92.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29483 is a high-severity DEPRECATED: Trusting Self-reported DNS Name (CWE-292) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a DNS cache poisoning flaw, tracked as CVE-2023-29483, that affects eventlet versions prior to 0.35.2 when used by dnspython versions prior to 2.6.0. It stems from insufficient validation during UDP-based name resolution: the resolver accepts the first packet that matches the expected source IP and port without waiting for a valid response within the full timeout window, enabling an attacker to inject an invalid packet that disrupts subsequent lookups. The issue is assigned CWE-292 and carries a CVSS 3.1 score of 7.0.

An unauthenticated remote attacker who can observe or predict a DNS query can exploit the race condition by sending a single malformed UDP packet from the authoritative server’s IP address and port. Successful interference can cause the resolver to fail or return incorrect results, resulting in denial of service for dependent applications and limited impact on confidentiality and integrity of resolved data.

Patches are available in eventlet 0.35.2 and dnspython 2.6.1; the latter release also corrects an unrelated regression introduced in 2.6.0. Downstream distributions such as Fedora have issued coordinated updates referencing the upstream fixes. The associated EPSS score has remained essentially flat near 0.08 with no material post-disclosure increase.

EU & UK References

Vulnerability details

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython…

more

does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eventlet
eventlet
≤ 0.35.2
dnspython
dnspython
≤ 2.6.0
fedoraproject
fedora
38, 39, 40
netapp
bootstrap os
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References