The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because…
mitre·CWE-338·Published 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
DNS message transaction IDs are generated using math/rand which makes them relatively predictable. This reduces the complexity of response spoofing attacks against DNS clients.
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
El paquete DNS de miekg Go versiones anteriores a la versión 1.1.25, como es usado en CoreDNS versiones anteriores a la versión 1.6.6 y otros productos, genera números aleatorios inapropiadamente porque math/rand es usado. El TXID se vuelve predecible, conllevando a falsificaciones de respuesta.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.3 | 8.6 | 2.9 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| 3.1 | Primary | NVD | 5.9 | 2.2 | 3.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | Secondary | GHSA | 5.9 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |