{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cache-poisoning/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hickory-recursor","hickory-resolver"],"_cs_severities":["medium"],"_cs_tags":["dns","cache-poisoning","zone-delegation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks","Hickory DNS"],"content_html":"\u003cp\u003eThe Hickory DNS project\u0026rsquo;s experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate, now integrated into \u003ccode\u003ehickory-resolver\u003c/code\u003e under the \u003ccode\u003erecursor\u003c/code\u003e feature, contains a vulnerability in its DNS record cache (\u003ccode\u003eDnsLru\u003c/code\u003e). The cache stores records based on the record\u0026rsquo;s name and type, rather than the originating query. This design flaw allows for cross-zone cache poisoning because the \u003ccode\u003ecache_response()\u003c/code\u003e function chains \u003ccode\u003eANSWER\u003c/code\u003e, \u003ccode\u003eAUTHORITY\u003c/code\u003e, and \u003ccode\u003eADDITIONAL\u003c/code\u003e sections into a single record iterator during insertion. The bailiwick filter uses the zone context of the NS pool that serviced the lookup, leading to improper validation of records from sibling zones. This issue affects all published versions of the experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate prior to its integration into \u003ccode\u003ehickory-resolver\u003c/code\u003e 0.26.0. Users of the \u003ccode\u003ehickory-dns\u003c/code\u003e binary configured with the \u003ccode\u003erecursor\u003c/code\u003e feature are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers the domain \u003ccode\u003eattacker.poc.\u003c/code\u003e and sets up a malicious nameserver.\u003c/li\u003e\n\u003cli\u003eHickory DNS server queries the nameserver for \u003ccode\u003eattacker.poc.\u003c/code\u003e to build its NS pool.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver responds with an \u003ccode\u003eAUTHORITY\u003c/code\u003e section that includes a malicious record delegating a sibling zone, such as \u003ccode\u003evictim.poc.\u003c/code\u003e, to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Hickory DNS server\u0026rsquo;s bailiwick check incorrectly validates the malicious \u003ccode\u003evictim.poc. NS ns.evil.poc.\u003c/code\u003e record because \u003ccode\u003evictim.poc.\u003c/code\u003e is a subdomain of the parent zone \u003ccode\u003epoc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious NS record for \u003ccode\u003evictim.poc.\u003c/code\u003e is stored in the cache, keyed by \u003ccode\u003e(victim.poc., NS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA client queries the Hickory DNS server for a name within the \u003ccode\u003evictim.poc.\u003c/code\u003e zone.\u003c/li\u003e\n\u003cli\u003eHickory DNS server builds its NS pool for \u003ccode\u003evictim.poc.\u003c/code\u003e using the poisoned cache entry, directing queries to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver now receives queries intended for the legitimate \u003ccode\u003evictim.poc.\u003c/code\u003e nameserver, allowing the attacker to intercept and manipulate DNS resolution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to redirect DNS queries for a target domain to an attacker-controlled nameserver. This can lead to various malicious activities, including phishing attacks, man-in-the-middle attacks, and the distribution of malware. The vulnerability affects any system using Hickory DNS with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled, potentially impacting a wide range of users relying on the resolver for DNS resolution. If the targeted domain is critical for service delivery (e.g., email, web), the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ehickory-resolver\u003c/code\u003e version 0.26.0 or later with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled to address the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-83hf-93m4-rgwq\"\u003ehttps://github.com/advisories/GHSA-83hf-93m4-rgwq\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the \u003ccode\u003erecursor\u003c/code\u003e feature in \u003ccode\u003ehickory-dns\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected NS record changes, focusing on \u003ccode\u003eAUTHORITY\u003c/code\u003e sections of DNS responses, using a custom rule based on your environment and typical DNS configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:10:58Z","date_published":"2026-04-30T18:10:58Z","id":"/briefs/2024-11-hickory-dns-poisoning/","summary":"The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.","title":"Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation","url":"https://feed.craftedsignal.io/briefs/2024-11-hickory-dns-poisoning/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["act","cache-poisoning","rce","github-actions","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eact\u003c/code\u003e project, designed for local execution of GitHub Actions workflows, contains a critical vulnerability affecting versions prior to 0.2.86. The built-in actions/cache server, intended for local caching, inadvertently listens for connections on all network interfaces. This exposure allows any attacker capable of reaching the server, including those on the internet, to create caches with arbitrary keys and retrieve existing cache data. By predicting the cache keys used by local actions, an attacker can inject malicious content into the cache, paving the way for arbitrary remote code execution within the Docker container used by \u003ccode\u003eact\u003c/code\u003e. This vulnerability was addressed in version 0.2.86 of \u003ccode\u003eact\u003c/code\u003e. The CVSS v3.1 base score is 8.2, indicating a high severity threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable \u003ccode\u003eact\u003c/code\u003e instance running a version prior to 0.2.86 with its cache server exposed on all interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed \u003ccode\u003eact\u003c/code\u003e cache server to determine accessible endpoints and version information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes common GitHub Actions workflows and identifies predictable cache keys.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious cache archive containing payloads designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious cache archive to the vulnerable \u003ccode\u003eact\u003c/code\u003e instance using the predicted cache key.\u003c/li\u003e\n\u003cli\u003eA legitimate user triggers a local GitHub Actions workflow using \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eact\u003c/code\u003e instance retrieves the attacker\u0026rsquo;s malicious cache archive instead of the expected legitimate cache.\u003c/li\u003e\n\u003cli\u003eThe malicious payload within the cache is executed within the Docker container, leading to remote code execution on the host system running \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary remote code execution on the host system running the vulnerable version of \u003ccode\u003eact\u003c/code\u003e. This can lead to complete system compromise, data theft, and further lateral movement within the network. The vulnerability affects any user running a version of \u003ccode\u003eact\u003c/code\u003e prior to 0.2.86 with the cache server exposed. While the number of directly affected users is unknown, the potential impact on development environments and CI/CD pipelines is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 0.2.86 or later of the \u003ccode\u003eact\u003c/code\u003e project to remediate the vulnerability (CVE-2026-34042).\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the \u003ccode\u003eact\u003c/code\u003e cache server to only trusted networks and hosts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the \u003ccode\u003eact\u003c/code\u003e cache server for unexpected or unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running \u003ccode\u003eact\u003c/code\u003e to detect potentially malicious processes spawned from Docker containers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T03:15:58Z","date_published":"2026-03-31T03:15:58Z","id":"/briefs/2024-02-29-act-cache-rce/","summary":"A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.","title":"act Project Cache Poisoning Vulnerability Leads to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2024-02-29-act-cache-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jboss","undertow","denial-of-service","cache-poisoning","session-hijacking","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within the Red Hat JBoss Enterprise Application Platform. An unauthenticated, remote attacker can exploit these flaws to trigger a denial-of-service (DoS) condition, manipulate sensitive data, and facilitate subsequent attacks, including cache poisoning and session hijacking. The vulnerabilities exist in the Undertow component. While specific CVEs are not listed in the advisory, the impact could be significant, leading to service disruption and potential data compromise. Defenders should focus on patching and monitoring for suspicious activity targeting JBoss instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable JBoss Enterprise Application Platform instance running an outdated version of Undertow.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted HTTP request designed to exploit a specific vulnerability within Undertow\u0026rsquo;s request processing logic.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability leads to a DoS, the server\u0026rsquo;s resources are exhausted, causing it to become unresponsive to legitimate requests.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability allows data manipulation, the attacker modifies application data via HTTP requests.\u003c/li\u003e\n\u003cli\u003eFor cache poisoning, the attacker crafts a request that, when cached by the application or a proxy, serves malicious content to other users.\u003c/li\u003e\n\u003cli\u003eFor session hijacking, the attacker exploits a vulnerability that allows them to steal or forge user session IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hijacked session to impersonate a legitimate user and gain unauthorized access to sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant disruption of services relying on the JBoss Enterprise Application Platform. This includes denial-of-service conditions, potentially impacting business operations and user experience. Data manipulation could lead to data corruption or unauthorized modification of sensitive information. Cache poisoning can spread malicious content to a wide range of users. Session hijacking allows attackers to gain unauthorized access, potentially leading to data breaches or further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eExamine web server logs for abnormal HTTP requests that could indicate exploitation attempts (see example Sigma rule for detecting suspicious HTTP methods).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns that may indicate denial-of-service attacks targeting JBoss servers.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to filter out malicious requests and protect against common web exploits.\u003c/li\u003e\n\u003cli\u003eApply the latest patches and updates for Red Hat JBoss Enterprise Application Platform, focusing on the Undertow component, to remediate the underlying vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:23:05Z","date_published":"2026-03-25T10:23:05Z","id":"/briefs/2026-03-jboss-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform to cause a denial-of-service condition, manipulate data, and conduct further attacks such as cache poisoning and session hijacking.","title":"Red Hat JBoss Enterprise Application Platform Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-jboss-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Cache-Poisoning","version":"https://jsonfeed.org/version/1.1"}