Vulnerability Description
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Miekg-Dns Project | Miekg-Dns | < 1.1.25 |
Related Weaknesses (CWE)
References
- https://github.com/coredns/coredns/issues/3519Issue TrackingThird Party Advisory
- https://github.com/coredns/coredns/issues/3547Third Party Advisory
- https://github.com/miekg/dns/compare/v1.1.24...v1.1.25Release NotesThird Party Advisory
- https://github.com/miekg/dns/issues/1043ExploitIssue TrackingThird Party Advisory
- https://github.com/miekg/dns/pull/1044PatchThird Party Advisory
- https://github.com/coredns/coredns/issues/3519Issue TrackingThird Party Advisory
- https://github.com/coredns/coredns/issues/3547Third Party Advisory
- https://github.com/miekg/dns/compare/v1.1.24...v1.1.25Release NotesThird Party Advisory
- https://github.com/miekg/dns/issues/1043ExploitIssue TrackingThird Party Advisory
- https://github.com/miekg/dns/pull/1044PatchThird Party Advisory
FAQ
What is CVE-2019-19794?
CVE-2019-19794 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to resp...
How severe is CVE-2019-19794?
CVE-2019-19794 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-19794?
Check the references section above for vendor advisories and patch information. Affected products include: Miekg-Dns Project Miekg-Dns.