### [CVE-2019-6465](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465)
![](https://img.shields.io/static/v1?label=Product&message=BIND%209&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=BIND%209BIND%209.9.0%20-%3E%209.10.8-P1%2C%209.11.0%20-%3E%209.11.5-P2%2C%209.12.0%20-%3E%209.12.3-P2%2C%20and%20versions%209.9.3-S1%20-%3E%209.11.5-S3%20of%20BIND%209%20Supported%20Preview%20Edition.%20Versions%209.13.0%20-%3E%209.13.6%20of%20the%209.13%20development%20branch%20are%20also%20affected.%20Versions%20prior%20to%20BIND%209.9.0%20have%20not%20been%20evaluated%20for%20vulnerability%20to%20CVE-2019-6465.%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=A%20client%20exercising%20this%20defect%20can%20request%20and%20receive%20a%20zone%20transfer%20of%20a%20DLZ%20even%20when%20not%20permitted%20to%20do%20so%20by%20the%20allow-transfer%20ACL.&color=brighgreen)

### Description

Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/HJXSaber/bind9-my
- https://github.com/balabit-deps/balabit-os-8-bind9-libs
- https://github.com/balabit-deps/balabit-os-9-bind9-libs
- https://github.com/fokypoky/places-list
- https://github.com/pexip/os-bind9
- https://github.com/pexip/os-bind9-libs