Vulnerability Details : CVE-2020-10772
An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.
Products affected by CVE-2020-10772
- cpe:2.3:a:nlnetlabs:unbound:1.6.6-5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-10772
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10772
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-10772
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
-
The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2020-10772
-
https://bugzilla.redhat.com/show_bug.cgi?id=1846026
1846026 – (CVE-2020-10772) CVE-2020-10772 unbound: incomplete fix for CVE-2020-12662 in RHEL7Issue Tracking;Third Party Advisory
Jump to