CVE-2019-19794

low-risk
Published 2019-12-13

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

Do I need to act?

-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Miekg-Dns

Affected Vendors

Miekg-Dns Project

References (10)

Issue Tracking https://github.com/coredns/coredns/issues/3519
Third Party Advisory https://github.com/coredns/coredns/issues/3547
Release Notes https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
Exploit https://github.com/miekg/dns/issues/1043
Patch https://github.com/miekg/dns/pull/1044
Issue Tracking https://github.com/coredns/coredns/issues/3519
Third Party Advisory https://github.com/coredns/coredns/issues/3547
Release Notes https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
Exploit https://github.com/miekg/dns/issues/1043
Patch https://github.com/miekg/dns/pull/1044
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal