CVE-2019-25039

moderate-risk
Published 2021-04-27

Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 34e52a4313d59b9d57e928c44300fd81e1a48910
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Debian Nlnetlabs

References (6)

Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html
Patch https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210507-0007/
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html
Patch https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210507-0007/
41
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 7/34 · Low