CVE-2019-25031

Name
CVE-2019-25031
Description
** DISPUTED ** Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00007.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20210507-0007/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:* unbound >= None < 1.9.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
unbound 3.10-main 1.9.1-r8 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable