Vulnerabilities > CVE-2019-19794 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Miekg-Dns Project Miekg-Dns

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

miekg-dns-project

CWE-338

NVD

Published: 2019-12-13

Updated: 2020-01-02

Summary

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

Vulnerable Configurations

Part	Description	Count
Application	Miekg-Dns_Project Miekg DNS Project Miekg DNS *	1

Common Weakness Enumeration (CWE)

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

https://github.com/coredns/coredns/issues/3519
https://github.com/coredns/coredns/issues/3547
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
https://github.com/miekg/dns/issues/1043
https://github.com/miekg/dns/pull/1044