C Ares
CVE-2023-31124
LOW
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
AnalysisAI
c-ares is an asynchronous resolver library. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-330. c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. Affected products include: C-Ares Project C-Ares, Fedoraproject Fedora. Version information: version 1.19.1..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to caus
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read me
c-ares is an asynchronous resolver library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.4). No vendor patch available.
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts whe
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today