Cyber Resilience

CVE-2020-25684

Low

Published: 20 January 2021

Published
20 January 2021
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0035 57.8th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-25684 is a low-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Arista Eos. Its CVSS base score is 3.7 (Low).

Operationally, ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the…

more

address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thekelleys
dnsmasq
≤ 2.83
fedoraproject
fedora
32, 33
debian
debian linux
10.0, 9.0
arista
eos
4.21 — 4.21.14m · 4.22 — 4.22.9m · 4.23 — 4.23.7m

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-358

Assessments identify and document improperly implemented security checks, allowing fixes that reduce exploitation of flawed checks.

References