C Ares
CVE-2017-1000381
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
AnalysisAI
The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. Affected products include: C-Ares, C-Ares Project C-Ares, Nodejs Node.Js.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to caus
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se
c-ares is an asynchronous resolver library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.4). No vendor patch available.
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts whe
c-ares is an asynchronous resolver library. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, n
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today