miekg/dns insecurely generates random numbers · CVE-2019-19794 · GitHub Advisory Database · GitHub

miekg/dns insecurely generates random numbers

Moderate severity GitHub Reviewed Published May 18, 2021 to the GitHub Advisory Database • Updated Aug 29, 2023

Package

github.com/miekg/dns (Go)

Affected versions

< 1.1.25

Patched versions

1.1.25

Description

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

References

Reviewed May 18, 2021

Published to the GitHub Advisory Database May 18, 2021

Last updated Aug 29, 2023

Severity

Moderate

5.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N