CVE-2019-19794

MEDIUM5.9EPSS 0.30%

miekg/dns insecurely generates random numbers

Published: 5/18/2021Modified: 11/8/2023

Also known as:GHSA-44r7-7p62-q3frDEBIAN-CVE-2019-19794GO-2020-0008

Description

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

Affected packages (3)

Debian/golang-github-miekg-dnsfrom 0, < 1.1.26-1
Go/github.com/miekg/dnsfrom 0, < 1.1.25
Go/github.com/miekg/dnsfrom 0, < 1.1.25-0.20191211073109-8ebf2e419df7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19794
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-19794
WEBhttps://github.com/coredns/coredns/issues/3519
WEBhttps://github.com/coredns/coredns/issues/3547
WEBhttps://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
WEBhttps://github.com/miekg/dns/compare/v1.1.24...v1.1.25
WEBhttps://github.com/miekg/dns/issues/1037
WEBhttps://github.com/miekg/dns/issues/1043
WEBhttps://github.com/miekg/dns/pull/1044
WEBhttps://pkg.go.dev/vuln/GO-2020-0008