The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-330", "CWE-338" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-18T20:42:52Z" }