Vulnerability Name:

CVE-2019-25033 (CCN-200872)

Assigned:2019-12-12
Published:2019-12-12
Updated:2021-12-03
Summary:** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the regional allocator via the ALIGN_UP macro.
Note: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-190
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2019-25033

Source: XF
Type: UNKNOWN
unbound-cve201925033-code-exec(200872)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update

Source: CCN
Type: Unbound Web site
Unbound

Source: CCN
Type: OSTIF Web site
Unbound DNS

Source: MISC
Type: Not Applicable, Third Party Advisory
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210507-0007/

Source: CCN
Type: IBM Security Bulletin 6853463 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-25033

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nlnetlabs:unbound:*:*:*:*:*:*:*:* (Version < 1.9.5)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:nlnetlabs:unbound:1.9.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7688
    P
    libunbound2-1.6.8-150100.10.8.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3096
    P
    gtk2-data-2.24.31-9.6.28 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94726
    P
    libunbound2-1.6.8-10.6.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:119096
    P
    Security update for unbound (Important)
    2022-02-15
    oval:org.opensuse.security:def:119210
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:101606
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:118713
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:119400
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:894
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:118903
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:119585
    P
    Security update for unbound (Important)
    2022-01-25
    BACK
    nlnetlabs unbound *
    debian debian linux 9.0
    nlnetlabs unbound 1.9.4
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm robotic process automation for cloud pak 21.0.3
    ibm robotic process automation for cloud pak 21.0.5
    ibm robotic process automation for cloud pak 21.0.4