{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25638", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-08T22:26:33.513Z", "datePublished": "2024-07-22T14:05:29.278Z", "dateUpdated": "2025-07-24T03:55:26.242Z"}, "containers": {"cna": {"title": "DNSJava DNSSEC Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-349", "lang": "en", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw"}, {"name": "https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705", "tags": ["x_refsource_MISC"], "url": "https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705"}], "affected": [{"vendor": "dnsjava", "product": "dnsjava", "versions": [{"version": "< 3.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-04T14:24:37.774Z"}, "descriptions": [{"lang": "en", "value": "dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0."}], "source": {"advisory": "GHSA-cfxw-4h78-h7fw", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "dnsjava", "product": "dnsjava", "cpes": ["cpe:2.3:a:dnsjava:dnsjava:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.6.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-25638"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T03:55:26.242Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.878Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw"}, {"name": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "name": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d", "name": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.878Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-22T15:32:07.508937Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dnsjava:dnsjava:*:*:*:*:*:*:*:*"], "vendor": "dnsjava", "product": "dnsjava", "versions": [{"status": "affected", "version": "0", "lessThan": "3.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T15:42:07.012Z"}}], "cna": {"title": "DNSJava DNSSEC Bypass", "source": {"advisory": "GHSA-cfxw-4h78-h7fw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dnsjava", "product": "dnsjava", "versions": [{"status": "affected", "version": "< 3.6.0"}]}], "references": [{"url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "name": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705", "name": "https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-04T14:24:37.774Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25638", "state": "PUBLISHED", "dateUpdated": "2025-07-24T03:55:26.242Z", "dateReserved": "2024-02-08T22:26:33.513Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-22T14:05:29.278Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0."}, {"lang": "es", "value": "dnsjava es una implementaci\u00f3n de DNS en Java. No se verifica la relevancia de los registros en las respuestas DNS para la consulta, lo que permite que un atacante responda con RR de diferentes zonas. Esta vulnerabilidad se solucion\u00f3 en 3.6.0."}], "id": "CVE-2024-25638", "lastModified": "2024-11-21T09:01:07.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-22T14:15:04.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705"}, {"source": "security-advisories@github.com", "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-349"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dnsjava: Improper response validation allowing DNSSEC bypass", "id": "2299292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299292"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "(CWE-345|CWE-349)", "details": ["dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.", "A flaw was found in the dnsjava package, a DNS implementation written in the Java language. The dnsjava package does not properly check the DNS resource records (RR) relevancy to the DNS query being processed, allowing an attacker to respond to the DNS request with RRs from different zones. This issue may lead to data integrity and confidentiality issues for applications, which due to DNSSEC specifications, might assume the returned RRs are authentic."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-25638", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "dnsjava/dnsjava", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "dnsjava/dnsjava", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "dnsjava/dnsjava", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "dnsjava/dnsjava", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "dnsjava/dnsjava", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "org.xbill/dnsjava", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "dnsjava", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "dnsjava", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "dnsjava", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-07-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-25638\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-25638\nhttps://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d\nhttps://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw"], "statement": "This vulnerability in the dnsjava package is of important severity due to its potential to undermine the foundational security mechanisms of DNS-based applications. The improper validation of DNS resource records (RRs) allows an attacker to inject records from unauthorized DNS zones, effectively bypassing the integrity checks that DNSSEC is designed to enforce. This flaw not only compromises the authenticity of DNS responses but also opens the door to sophisticated attacks such as DNS cache poisoning and redirection to malicious servers. \nRed Hat JBoss Enterprise Application Platform 7 & 8 was not affected by this CVE.", "threat_severity": "Important"}