CVE-2019-25031

Name of the Vulnerable Software and Affected Versions Unbound versions prior to 1.9.5

Description The issue is related to insufficient neutralization of special elements in a request, which can be exploited by a remote attacker to impact data integrity. This can occur upon a successful man-in-the-middle attack against a cleartext HTTP session, allowing configuration injection in the create unbound ad servers.sh script. Note that the vendor does not consider this a vulnerability of the Unbound software, as create unbound ad servers.sh is a community-contributed script that facilitates automatic configuration creation and is not part of the Unbound installation.

Recommendations For Unbound versions prior to 1.9.5, update to version 1.9.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the create unbound ad servers.sh script until the update is applied. Additionally, avoid using cleartext HTTP sessions to minimize the risk of man-in-the-middle attacks.