The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
References
Link | Resource |
---|---|
https://github.com/coredns/coredns/issues/3519 | Issue Tracking Third Party Advisory |
https://github.com/coredns/coredns/issues/3547 | Third Party Advisory |
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25 | Release Notes Third Party Advisory |
https://github.com/miekg/dns/issues/1043 | Exploit Issue Tracking Third Party Advisory |
https://github.com/miekg/dns/pull/1044 | Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2019-12-13 22:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-19794
Mitre link : CVE-2019-19794
CVE.ORG link : CVE-2019-19794
JSON object : View
Products Affected
miekg-dns_project
- miekg-dns
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)