GoogleOSV:GHSA-44R7-7P62-Q3FRmiekg/dns insecurely generates random numbers
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.1%
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/miekg/dns | lt | 1.1.25 |
References
github.com/coredns/coredns/issues/3519
github.com/coredns/coredns/issues/3547
github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
github.com/miekg/dns/compare/v1.1.24...v1.1.25
github.com/miekg/dns/issues/1037
github.com/miekg/dns/issues/1043
github.com/miekg/dns/pull/1044
nvd.nist.gov/vuln/detail/CVE-2019-19794
pkg.go.dev/vuln/GO-2020-0008
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.1%