{
  "threat_severity" : "Moderate",
  "public_date" : "2019-12-11T00:00:00Z",
  "bugzilla" : {
    "description" : "unbound: integer overflow in sldns_str2wire_dname_buf_origin can lead to an out-of-bounds write",
    "id" : "1954778",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1954778"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190->CWE-787",
  "details" : [ "Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited", "A flaw was found in unbound. An integer overflow in the sldns_str2wire_dname_buf_origin function may lead to a buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability." ],
  "statement" : "There is no available reproducer or proof of concept for this issue, nor it was ever proven the buffer overflow can happen in practice. Indeed in the original report this issue was considered one that might not be triggered and for this reason its Impact is Moderate. Upstream has also disputed this CVE.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1853",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "unbound-0:1.7.3-15.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2022-02-22T00:00:00Z",
    "advisory" : "RHSA-2022:0632",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "unbound-0:1.7.3-12.el8_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "unbound",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "unbound",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "unbound",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-25034\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25034" ],
  "name" : "CVE-2019-25034",
  "csaw" : false
}