CVE-2019-25035

moderate-risk
Published 2021-04-27

Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Debian Nlnetlabs

References (6)

Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html
Not Applicable https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210507-0007/
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html
Not Applicable https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210507-0007/
41
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 7/34 · Low