CVE-2019-19794Use of Cryptographically Weak Pseudo-Random Number Generator in Coredns Coredns

CWE-338Use of Cryptographically Weak Pseudo-Random Number GeneratorCWE-330Use of Insufficiently Random Values12 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 46.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Coredns CorednsGithub.com Miekg DNSMiekg-dns Project Miekg-dns+1 more
Timeline
PublishedDec 13
Latest updateMar 1

Description

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

Gogithub.com/miekg_dns< 1.1.25-0.20191211073109-8ebf2e419df7+1
debiandebian/golang-github-miekg-dns< golang-github-miekg-dns 1.1.26-1 (bookworm)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
GHSA
Improper random number generation in github.com/coredns/coredns2022-03-01
OSV
Improper random number generation in github.com/coredns/coredns2022-03-01
OSV
miekg/dns insecurely generates random numbers2021-05-18
GHSA
miekg/dns insecurely generates random numbers2021-05-18
OSV
Insecure generation of random numbers in github.com/miekg/dns2021-04-14

📋Vendor Advisories

2
Red Hat
golang-github-miekg-dns: predictable TXID can lead to response forgeries2019-12-05
Debian
CVE-2019-19794: golang-github-miekg-dns - The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and othe...2019

💬Community

3
Bugzilla
CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries2019-12-27
Bugzilla
CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries [fedora-all]2019-12-27
Bugzilla
CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries [epel-6]2019-12-27