Vulnerabilites related to c-ares - c-ares
cve-2020-14354
Vulnerability from cvelistv5
Published
2021-05-13 13:38
Modified
2024-08-04 12:39
Severity ?
EPSS score ?
Summary
A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ | vendor-advisory, x_refsource_FEDORA | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1866838 | x_refsource_MISC | |
| https://packetstormsecurity.com/files/158755/GS20200804145053.txt | x_refsource_MISC | |
| https://c-ares.haxx.se/changelog.html | x_refsource_MISC | |
| https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://c-ares.haxx.se/changelog.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "c-ares 1.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120-\u003eCWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T13:39:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://c-ares.haxx.se/changelog.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-14354",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "c-ares",
"version": {
"version_data": [
{
"version_value": "c-ares 1.16.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-120-\u003eCWE-416"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2020-43d5a372fc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
},
{
"name": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
},
{
"name": "https://c-ares.haxx.se/changelog.html",
"refsource": "MISC",
"url": "https://c-ares.haxx.se/changelog.html"
},
{
"name": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
"refsource": "MISC",
"url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-14354",
"datePublished": "2021-05-13T13:38:56",
"dateReserved": "2020-06-17T00:00:00",
"dateUpdated": "2024-08-04T12:39:36.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25629
Vulnerability from cvelistv5
Published
2024-02-23 14:52
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-23T19:18:11.897134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:14.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
},
{
"name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-127",
"description": "CWE-127: Buffer Under-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:15.852Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
},
{
"name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
}
],
"source": {
"advisory": "GHSA-mg26-v6qh-x48q",
"discovery": "UNKNOWN"
},
"title": "c-ares out of bounds read in ares__read_line()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25629",
"datePublished": "2024-02-23T14:52:24.967Z",
"dateReserved": "2024-02-08T22:26:33.512Z",
"dateUpdated": "2025-02-13T17:40:51.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-22217
Vulnerability from cvelistv5
Published
2023-08-22 00:00
Modified
2024-10-03 19:59
Severity ?
EPSS score ?
Summary
Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/issues/333"
},
{
"name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-22217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T19:59:20.865542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T19:59:30.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T08:06:18.645150",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/c-ares/c-ares/issues/333"
},
{
"name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22217",
"datePublished": "2023-08-22T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-10-03T19:59:30.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-31130
Vulnerability from cvelistv5
Published
2023-05-25 21:45
Modified
2025-02-13 16:49
Severity ?
EPSS score ?
Summary
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:26.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5419"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:35:37.326640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:35:44.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-124",
"description": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:08:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://www.debian.org/security/2023/dsa-5419"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
}
],
"source": {
"advisory": "GHSA-x6mf-cxr9-8q6v",
"discovery": "UNKNOWN"
},
"title": "Buffer Underwrite in ares_inet_net_pton()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31130",
"datePublished": "2023-05-25T21:45:42.645Z",
"dateReserved": "2023-04-24T21:44:10.416Z",
"dateUpdated": "2025-02-13T16:49:44.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-31124
Vulnerability from cvelistv5
Published
2023-05-25 21:09
Modified
2025-02-13 16:49
Severity ?
EPSS score ?
Summary
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:36:12.341822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:36:25.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T08:06:46.531Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"source": {
"advisory": "GHSA-54xr-f67r-4pc4",
"discovery": "UNKNOWN"
},
"title": "AutoTools does not set CARES_RANDOM_FILE during cross compilation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31124",
"datePublished": "2023-05-25T21:09:31.881Z",
"dateReserved": "2023-04-24T21:44:10.415Z",
"dateUpdated": "2025-02-13T16:49:43.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32067
Vulnerability from cvelistv5
Published
2023-05-25 22:49
Modified
2025-02-13 16:50
Severity ?
EPSS score ?
Summary
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "37"
}
]
},
{
"cpes": [
"cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"lessThan": "1.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "38"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "10.0"
},
{
"status": "affected",
"version": "11.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T18:37:41.012008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T18:42:36.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5419"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:07:51.331Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://www.debian.org/security/2023/dsa-5419"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
}
],
"source": {
"advisory": "GHSA-9g78-jv2r-p7vc",
"discovery": "UNKNOWN"
},
"title": "0-byte UDP payload DoS in c-ares"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32067",
"datePublished": "2023-05-25T22:49:55.860Z",
"dateReserved": "2023-05-01T16:47:35.314Z",
"dateUpdated": "2025-02-13T16:50:20.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-5180
Vulnerability from cvelistv5
Published
2016-10-03 15:00
Modified
2024-08-06 00:53
Severity ?
EPSS score ?
Summary
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
References
| ▼ | URL | Tags |
|---|---|---|
| https://source.android.com/security/bulletin/2017-01-01.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/93243 | vdb-entry, x_refsource_BID | |
| http://www.ubuntu.com/usn/USN-3143-1 | vendor-advisory, x_refsource_UBUNTU | |
| https://security.gentoo.org/glsa/201701-28 | vendor-advisory, x_refsource_GENTOO | |
| http://www.debian.org/security/2016/dsa-3682 | vendor-advisory, x_refsource_DEBIAN | |
| https://c-ares.haxx.se/adv_20160929.html | x_refsource_CONFIRM | |
| https://c-ares.haxx.se/CVE-2016-5180.patch | x_refsource_CONFIRM | |
| https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2017-0002.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:53:48.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://source.android.com/security/bulletin/2017-01-01.html"
},
{
"name": "93243",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93243"
},
{
"name": "USN-3143-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3143-1"
},
{
"name": "GLSA-201701-28",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201701-28"
},
{
"name": "DSA-3682",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3682"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://c-ares.haxx.se/adv_20160929.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
},
{
"name": "RHSA-2017:0002",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://source.android.com/security/bulletin/2017-01-01.html"
},
{
"name": "93243",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93243"
},
{
"name": "USN-3143-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3143-1"
},
{
"name": "GLSA-201701-28",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201701-28"
},
{
"name": "DSA-3682",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3682"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://c-ares.haxx.se/adv_20160929.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
},
{
"name": "RHSA-2017:0002",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2016-5180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://source.android.com/security/bulletin/2017-01-01.html",
"refsource": "CONFIRM",
"url": "https://source.android.com/security/bulletin/2017-01-01.html"
},
{
"name": "93243",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93243"
},
{
"name": "USN-3143-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3143-1"
},
{
"name": "GLSA-201701-28",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201701-28"
},
{
"name": "DSA-3682",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3682"
},
{
"name": "https://c-ares.haxx.se/adv_20160929.html",
"refsource": "CONFIRM",
"url": "https://c-ares.haxx.se/adv_20160929.html"
},
{
"name": "https://c-ares.haxx.se/CVE-2016-5180.patch",
"refsource": "CONFIRM",
"url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
},
{
"name": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html",
"refsource": "CONFIRM",
"url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
},
{
"name": "RHSA-2017:0002",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2016-5180",
"datePublished": "2016-10-03T15:00:00",
"dateReserved": "2016-05-31T00:00:00",
"dateUpdated": "2024-08-06T00:53:48.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-1000381
Vulnerability from cvelistv5
Published
2017-07-07 17:00
Modified
2024-08-05 22:00
Severity ?
EPSS score ?
Summary
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://c-ares.haxx.se/0616.patch | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/99148 | vdb-entry, x_refsource_BID | |
| https://c-ares.haxx.se/adv_20170620.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:00:40.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://c-ares.haxx.se/0616.patch"
},
{
"name": "99148",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99148"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://c-ares.haxx.se/adv_20170620.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://c-ares.haxx.se/0616.patch"
},
{
"name": "99148",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99148"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://c-ares.haxx.se/adv_20170620.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000381",
"REQUESTER": "daniel@haxx.se",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://c-ares.haxx.se/0616.patch",
"refsource": "CONFIRM",
"url": "https://c-ares.haxx.se/0616.patch"
},
{
"name": "99148",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99148"
},
{
"name": "https://c-ares.haxx.se/adv_20170620.html",
"refsource": "CONFIRM",
"url": "https://c-ares.haxx.se/adv_20170620.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000381",
"datePublished": "2017-07-07T17:00:00",
"dateReserved": "2017-07-07T00:00:00",
"dateUpdated": "2024-08-05T22:00:40.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-31147
Vulnerability from cvelistv5
Published
2023-05-25 21:55
Modified
2025-02-13 16:49
Severity ?
EPSS score ?
Summary
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:25:39.252161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:25:47.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T08:06:48.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"source": {
"advisory": "GHSA-8r8p-23f3-64c2",
"discovery": "UNKNOWN"
},
"title": "Insufficient randomness in generation of DNS query IDs in c-ares"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31147",
"datePublished": "2023-05-25T21:55:47.585Z",
"dateReserved": "2023-04-24T21:44:10.418Z",
"dateUpdated": "2025-02-13T16:49:46.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2017-07-07 17:29
Modified
2024-11-21 03:04
Severity ?
Summary
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99148 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://c-ares.haxx.se/0616.patch | Mailing List, Vendor Advisory | |
| cve@mitre.org | https://c-ares.haxx.se/adv_20170620.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99148 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://c-ares.haxx.se/0616.patch | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://c-ares.haxx.se/adv_20170620.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| c-ares | c-ares | 1.8.0 | |
| c-ares | c-ares | 1.9.0 | |
| c-ares | c-ares | 1.9.1 | |
| c-ares | c-ares | 1.10.0 | |
| c-ares | c-ares | 1.12.0 | |
| c-ares_project | c-ares | 1.11.0 | |
| c-ares_project | c-ares | 1.11.0 | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7BDB0FC-AA36-4C41-B3DC-201F0DE0191A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5B38F8E2-7710-4303-A80F-9009619BEC7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1637EF-3393-4770-91AE-89EA53D57830",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "93FA2559-0DB1-49BE-A6E6-C73408F4AB57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B92EADF5-3500-4F37-808E-41DC48DE8D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares_project:c-ares:1.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B8F4F4BD-4316-4CB2-8FCE-9EE5C59E64EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares_project:c-ares:1.11.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "476034B6-69BF-4130-8139-D5DDC1EB0028",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "A47FC4F7-1F77-4314-B4B3-3C5D8E335379",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "AC1070A7-E3E0-423C-A73A-040FCED8AD96",
"versionEndExcluding": "4.8.4",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "121E5D5D-B4D9-43F3-B5C9-74590192FAF1",
"versionEndIncluding": "5.12.0",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "D107EC29-67E7-40C3-8E5A-324C9105C5E4",
"versionEndIncluding": "6.8.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "6EA3B1B4-3576-4508-AC77-4AE3A5622E09",
"versionEndExcluding": "6.11.1",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "B9C02D94-B713-4BE4-8C26-F21C2ADC01B0",
"versionEndExcluding": "7.10.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "02C6E585-2704-4EC2-BED1-CF6D61BE9CC9",
"versionEndExcluding": "8.1.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
},
{
"lang": "es",
"value": "La funci\u00f3n \"ares_parse_naptr_reply()\" de c-ares, que es usada para analizar las respuestas NAPTR, podr\u00eda ser activada para leer la memoria fuera del b\u00fafer de entrada dado si el pasado en el paquete de respuesta DNS fue creado de una manera particular."
}
],
"id": "CVE-2017-1000381",
"lastModified": "2024-11-21T03:04:36.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-07T17:29:00.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99148"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/0616.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/adv_20170620.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/0616.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/adv_20170620.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-23 15:15
Modified
2025-02-05 21:41
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| c-ares | c-ares | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*",
"matchCriteriaId": "33B2994F-77FD-46CD-B5DC-9DD93A338656",
"versionEndExcluding": "1.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
"matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist."
},
{
"lang": "es",
"value": "c-ares es una librer\u00eda C para solicitudes DNS asincr\u00f3nicas. `ares__read_line()` se usa para analizar archivos de configuraci\u00f3n locales como `/etc/resolv.conf`, `/etc/nsswitch.conf`, el archivo `HOSTALIASES` y si se usa una versi\u00f3n de c-ares anterior a 1.27. 0, el archivo `/etc/hosts`. Si alguno de estos archivos de configuraci\u00f3n tiene un car\u00e1cter \"NULL\" incrustado como primer car\u00e1cter en una nueva l\u00ednea, puede provocar que se intente leer la memoria antes del inicio del b\u00fafer dado, lo que puede provocar un bloqueo. Este problema se solucion\u00f3 en c-ares 1.27.0. No existen workarounds."
}
],
"id": "CVE-2024-25629",
"lastModified": "2025-02-05T21:41:30.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-23T15:15:09.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-127"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-10-03 15:59
Modified
2024-11-21 02:53
Severity ?
Summary
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| c-ares | c-ares | 1.0.0 | |
| c-ares | c-ares | 1.1.0 | |
| c-ares | c-ares | 1.2.0 | |
| c-ares | c-ares | 1.2.1 | |
| c-ares | c-ares | 1.3.0 | |
| c-ares | c-ares | 1.3.1 | |
| c-ares | c-ares | 1.3.2 | |
| c-ares | c-ares | 1.4.0 | |
| c-ares | c-ares | 1.5.0 | |
| c-ares | c-ares | 1.5.1 | |
| c-ares | c-ares | 1.5.2 | |
| c-ares | c-ares | 1.5.3 | |
| c-ares | c-ares | 1.6.0 | |
| c-ares | c-ares | 1.7.0 | |
| c-ares | c-ares | 1.7.1 | |
| c-ares | c-ares | 1.7.2 | |
| c-ares | c-ares | 1.7.3 | |
| c-ares | c-ares | 1.7.4 | |
| c-ares | c-ares | 1.7.5 | |
| c-ares | c-ares | 1.8.0 | |
| c-ares | c-ares | 1.9.0 | |
| c-ares | c-ares | 1.9.1 | |
| c-ares | c-ares | 1.10.0 | |
| c-ares_project | c-ares | 1.11.0 | |
| debian | debian_linux | 8.0 | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| nodejs | node.js | * | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 16.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1290A1CC-6506-4D8A-A4A6-055A38D57547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5FB2A771-24BE-4FB5-87E9-25C385848AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CE64E1CB-185E-481B-BC81-C28D216ED470",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "530ACB4D-6981-4B39-857E-CBB07EB0CA4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B33501E-65BA-45BB-860D-39FA94D010A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9AA3F962-8659-444F-BB08-6CBED2661C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "644E7D14-54E1-4F7E-A640-514A88E03D26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4E515118-8774-4C7F-8261-305910EF643F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C473F9-81E3-4555-8469-63A27DEDEDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "19E695E5-93F5-49FD-AB58-D53169E1AB69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1B168912-2129-4833-B448-BC7616355885",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "47AD1736-F47B-4A93-9D59-C88BE0D10FA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4D5F27-A8F0-41B4-9832-4F9830F96B26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "340C5CF0-AC09-4C17-9F15-6B0BEAC62629",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44895917-6186-477B-9B72-AA7B20B3E3E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA26B2AA-395B-4D6C-8260-569E54751532",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "800D4E24-7E7A-4316-86F1-B8150DAE540C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3710921E-94D4-4D9E-BD45-86E23ECE8C7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8883FA5A-CC60-4275-9C3B-31A7FBD2A073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7BDB0FC-AA36-4C41-B3DC-201F0DE0191A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5B38F8E2-7710-4303-A80F-9009619BEC7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1637EF-3393-4770-91AE-89EA53D57830",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "93FA2559-0DB1-49BE-A6E6-C73408F4AB57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares_project:c-ares:1.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B8F4F4BD-4316-4CB2-8FCE-9EE5C59E64EA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C73D7118-BF5A-4651-88A3-5BD1F91073C0",
"versionEndExcluding": "0.10.48",
"versionStartIncluding": "0.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E18583B6-328E-4EC2-9CC2-E13B1EFA8576",
"versionEndExcluding": "0.12.17",
"versionStartIncluding": "0.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2E42AB86-763E-4ACE-83ED-E0ECA7E3BCC2",
"versionEndExcluding": "4.6.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*",
"matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1AFB20FA-CB00-4729-AB3A-816454C6D096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
},
{
"lang": "es",
"value": "Desbordamiento de b\u00fafer basado en memoria din\u00e1mica en la funci\u00f3n ares_create_query en c-ares 1.x en versiones anteriores a 1.12.0 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (escritura fuera de l\u00edmites) o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de un nombre de host con puntos finales de fuga."
}
],
"id": "CVE-2016-5180",
"lastModified": "2024-11-21T02:53:47.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-10-03T15:59:03.270",
"references": [
{
"source": "chrome-cve-admin@google.com",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
},
{
"source": "chrome-cve-admin@google.com",
"url": "http://www.debian.org/security/2016/dsa-3682"
},
{
"source": "chrome-cve-admin@google.com",
"url": "http://www.securityfocus.com/bid/93243"
},
{
"source": "chrome-cve-admin@google.com",
"url": "http://www.ubuntu.com/usn/USN-3143-1"
},
{
"source": "chrome-cve-admin@google.com",
"url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
},
{
"source": "chrome-cve-admin@google.com",
"url": "https://c-ares.haxx.se/adv_20160929.html"
},
{
"source": "chrome-cve-admin@google.com",
"url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
},
{
"source": "chrome-cve-admin@google.com",
"url": "https://security.gentoo.org/glsa/201701-28"
},
{
"source": "chrome-cve-admin@google.com",
"url": "https://source.android.com/security/bulletin/2017-01-01.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/93243"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-3143-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://c-ares.haxx.se/adv_20160929.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201701-28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://source.android.com/security/bulletin/2017-01-01.html"
}
],
"sourceIdentifier": "chrome-cve-admin@google.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| c-ares | c-ares | 1.16.0 | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.16.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59640538-D3DC-457C-B042-5D2B8F445A46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
},
{
"lang": "es",
"value": "Un posible uso de la memoria previamente liberada y una doble liberaci\u00f3n en c-ares lib versi\u00f3n 1.16.0, si la funci\u00f3n ares_destroy() es llamado antes de completar la funci\u00f3n ares_getaddrinfo().\u0026#xa0;Este fallo posiblemente permite a un atacante bloquear el servicio que usa c-ares lib.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la disponibilidad de este servicio"
}
],
"id": "CVE-2020-14354",
"lastModified": "2024-11-21T05:03:04.703",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T14:15:17.503",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/changelog.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://c-ares.haxx.se/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-415"
},
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-22 19:16
Modified
2024-11-21 05:13
Severity ?
Summary
Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/c-ares/c-ares/issues/333 | Exploit, Issue Tracking, Patch | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/c-ares/c-ares/issues/333 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html | Mailing List, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F414AE45-51A4-439A-9522-74D765564707",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:c-ares:c-ares:1.17.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C8C96E-B5F9-41C8-AE10-AF1D7AC3CFEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c."
},
{
"lang": "es",
"value": "Vulnerabilidad de desbordamiento de b\u00fafer en c-ares antes de 1_16_1 a 1_17_0 mediante la funci\u00f3n ares_parse_soa_reply en ares_parse_soa_reply.c."
}
],
"id": "CVE-2020-22217",
"lastModified": "2024-11-21T05:13:11.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-22T19:16:19.050",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/c-ares/c-ares/issues/333"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/c-ares/c-ares/issues/333"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}