Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for c-ares by c-ares

    CVE-2025-62408 (GCVE-0-2025-62408)

    Vulnerability from nvd – Published: 2025-12-08 22:04 – Updated: 2025-12-09 16:05
    VLAI
    Title
    c-ares has a Use After Free vulnerability when connection is cleaned up after error
    Summary
    c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: > 1.32.3, < 1.34.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-09T14:20:03.531539Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-09T16:05:06.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e 1.32.3, \u003c 1.34.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5  terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T22:04:08.565Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618"
            }
          ],
          "source": {
            "advisory": "GHSA-jq53-42q6-pqr5",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares has a Use After Free vulnerability when connection is cleaned up after error"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62408",
        "datePublished": "2025-12-08T22:04:08.565Z",
        "dateReserved": "2025-10-13T16:26:12.178Z",
        "dateUpdated": "2025-12-09T16:05:06.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31498 (GCVE-0-2025-31498)

    Vulnerability from nvd – Published: 2025-04-08 13:53 – Updated: 2025-04-08 18:40
    VLAI
    Title
    c-ares has a use-after-free in read_answers()
    Summary
    c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: >= 1.32.3, < 1.34.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-08T15:03:00.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/04/08/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T18:40:21.274882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T18:40:36.081Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.32.3, \u003c 1.34.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:53:11.232Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"
            },
            {
              "name": "https://github.com/c-ares/c-ares/pull/821",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/pull/821"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1"
            }
          ],
          "source": {
            "advisory": "GHSA-6hxc-62jh-p29v",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares has a use-after-free in read_answers()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31498",
        "datePublished": "2025-04-08T13:53:11.232Z",
        "dateReserved": "2025-03-28T13:36:51.300Z",
        "dateUpdated": "2025-04-08T18:40:36.081Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25629 (GCVE-0-2024-25629)

    Vulnerability from nvd – Published: 2024-02-23 14:52 – Updated: 2025-02-13 17:40
    VLAI
    Title
    c-ares out of bounds read in ares__read_line()
    Summary
    c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.27.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25629",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T19:18:11.897134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:35:14.331Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:44:09.807Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
              },
              {
                "name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-127",
                  "description": "CWE-127: Buffer Under-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-19T23:06:15.852Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
            }
          ],
          "source": {
            "advisory": "GHSA-mg26-v6qh-x48q",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares out of bounds read in ares__read_line()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25629",
        "datePublished": "2024-02-23T14:52:24.967Z",
        "dateReserved": "2024-02-08T22:26:33.512Z",
        "dateUpdated": "2025-02-13T17:40:51.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-22217 (GCVE-0-2020-22217)

    Vulnerability from nvd – Published: 2023-08-22 00:00 – Updated: 2024-10-03 19:59
    VLAI
    Summary
    Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:51:10.438Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/issues/333"
              },
              {
                "name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-22217",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T19:59:20.865542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T19:59:30.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T08:06:18.645Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/c-ares/c-ares/issues/333"
            },
            {
              "name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-22217",
        "datePublished": "2023-08-22T00:00:00.000Z",
        "dateReserved": "2020-08-13T00:00:00.000Z",
        "dateUpdated": "2024-10-03T19:59:30.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32067 (GCVE-0-2023-32067)

    Vulnerability from nvd – Published: 2023-05-25 22:49 – Updated: 2025-02-13 16:50
    VLAI
    Title
    0-byte UDP payload DoS in c-ares
    Summary
    c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    fedoraproject fedora Affected: 37
        cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
    Create a notification for this product.
    c-ares c-ares Affected: 0 , < 1.19.1 (custom)
        cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*
    Create a notification for this product.
    fedoraproject fedora Affected: 38
        cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 10.0
    Affected: 11.0
        cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
        cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fedora",
                "vendor": "fedoraproject",
                "versions": [
                  {
                    "status": "affected",
                    "version": "37"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "c-ares",
                "vendor": "c-ares",
                "versions": [
                  {
                    "lessThan": "1.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fedora",
                "vendor": "fedoraproject",
                "versions": [
                  {
                    "status": "affected",
                    "version": "38"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                  "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0"
                  },
                  {
                    "status": "affected",
                    "version": "11.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32067",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T18:37:41.012008Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T18:42:36.162Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5419"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T18:07:51.331Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5419"
            },
            {
              "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
            }
          ],
          "source": {
            "advisory": "GHSA-9g78-jv2r-p7vc",
            "discovery": "UNKNOWN"
          },
          "title": "0-byte UDP payload DoS in c-ares"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32067",
        "datePublished": "2023-05-25T22:49:55.860Z",
        "dateReserved": "2023-05-01T16:47:35.314Z",
        "dateUpdated": "2025-02-13T16:50:20.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31147 (GCVE-0-2023-31147)

    Vulnerability from nvd – Published: 2023-05-25 21:55 – Updated: 2025-02-13 16:49
    VLAI
    Title
    Insufficient randomness in generation of DNS query IDs in c-ares
    Summary
    c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:25.630Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:25:39.252161Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:25:47.351Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-08T08:06:48.246Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            }
          ],
          "source": {
            "advisory": "GHSA-8r8p-23f3-64c2",
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient randomness in generation of DNS query IDs in c-ares"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31147",
        "datePublished": "2023-05-25T21:55:47.585Z",
        "dateReserved": "2023-04-24T21:44:10.418Z",
        "dateUpdated": "2025-02-13T16:49:46.904Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31130 (GCVE-0-2023-31130)

    Vulnerability from nvd – Published: 2023-05-25 21:45 – Updated: 2025-02-13 16:49
    VLAI
    Title
    Buffer Underwrite in ares_inet_net_pton()
    Summary
    c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-124 - Buffer Underwrite ('Buffer Underflow')
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:26.018Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5419"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:35:37.326640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:35:44.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-124",
                  "description": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T16:08:34.510Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5419"
            },
            {
              "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
            }
          ],
          "source": {
            "advisory": "GHSA-x6mf-cxr9-8q6v",
            "discovery": "UNKNOWN"
          },
          "title": "Buffer Underwrite in ares_inet_net_pton()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31130",
        "datePublished": "2023-05-25T21:45:42.645Z",
        "dateReserved": "2023-04-24T21:44:10.416Z",
        "dateUpdated": "2025-02-13T16:49:44.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31124 (GCVE-0-2023-31124)

    Vulnerability from nvd – Published: 2023-05-25 21:09 – Updated: 2025-02-13 16:49
    VLAI
    Title
    AutoTools does not set CARES_RANDOM_FILE during cross compilation
    Summary
    c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:25.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31124",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:36:12.341822Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:36:25.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.  This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-08T08:06:46.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            }
          ],
          "source": {
            "advisory": "GHSA-54xr-f67r-4pc4",
            "discovery": "UNKNOWN"
          },
          "title": "AutoTools does not set CARES_RANDOM_FILE during cross compilation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31124",
        "datePublished": "2023-05-25T21:09:31.881Z",
        "dateReserved": "2023-04-24T21:44:10.415Z",
        "dateUpdated": "2025-02-13T16:49:43.787Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14354 (GCVE-0-2020-14354)

    Vulnerability from nvd – Published: 2021-05-13 13:38 – Updated: 2024-08-04 12:39
    VLAI
    Summary
    A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a c-ares Affected: c-ares 1.16.1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2020-43d5a372fc",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/changelog.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "c-ares 1.16.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120-\u003eCWE-416",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-13T13:39:35.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2020-43d5a372fc",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://c-ares.haxx.se/changelog.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-14354",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "c-ares",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "c-ares 1.16.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-120-\u003eCWE-416"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2020-43d5a372fc",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
                },
                {
                  "name": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt",
                  "refsource": "MISC",
                  "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
                },
                {
                  "name": "https://c-ares.haxx.se/changelog.html",
                  "refsource": "MISC",
                  "url": "https://c-ares.haxx.se/changelog.html"
                },
                {
                  "name": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
                  "refsource": "MISC",
                  "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-14354",
        "datePublished": "2021-05-13T13:38:56.000Z",
        "dateReserved": "2020-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T12:39:36.541Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-1000381 (GCVE-0-2017-1000381)

    Vulnerability from nvd – Published: 2017-07-07 17:00 – Updated: 2024-08-05 22:00
    VLAI
    Summary
    The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://c-ares.haxx.se/0616.patch x_refsource_CONFIRM
    http://www.securityfocus.com/bid/99148 vdb-entryx_refsource_BID
    https://c-ares.haxx.se/adv_20170620.html x_refsource_CONFIRM
    Date Public
    2017-06-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:00:40.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/0616.patch"
              },
              {
                "name": "99148",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/99148"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/adv_20170620.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-06-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-07-10T09:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/0616.patch"
            },
            {
              "name": "99148",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/99148"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/adv_20170620.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-1000381",
              "REQUESTER": "daniel@haxx.se",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://c-ares.haxx.se/0616.patch",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/0616.patch"
                },
                {
                  "name": "99148",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/99148"
                },
                {
                  "name": "https://c-ares.haxx.se/adv_20170620.html",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/adv_20170620.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-1000381",
        "datePublished": "2017-07-07T17:00:00.000Z",
        "dateReserved": "2017-07-07T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:00:40.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5180 (GCVE-0-2016-5180)

    Vulnerability from nvd – Published: 2016-10-03 15:00 – Updated: 2024-08-06 00:53
    VLAI
    Summary
    Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-09-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:53:48.437Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://source.android.com/security/bulletin/2017-01-01.html"
              },
              {
                "name": "93243",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/93243"
              },
              {
                "name": "USN-3143-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-3143-1"
              },
              {
                "name": "GLSA-201701-28",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201701-28"
              },
              {
                "name": "DSA-3682",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2016/dsa-3682"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/adv_20160929.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
              },
              {
                "name": "RHSA-2017:0002",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-04T19:57:01.000Z",
            "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
            "shortName": "Chrome"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://source.android.com/security/bulletin/2017-01-01.html"
            },
            {
              "name": "93243",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/93243"
            },
            {
              "name": "USN-3143-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-3143-1"
            },
            {
              "name": "GLSA-201701-28",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201701-28"
            },
            {
              "name": "DSA-3682",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2016/dsa-3682"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/adv_20160929.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
            },
            {
              "name": "RHSA-2017:0002",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@google.com",
              "ID": "CVE-2016-5180",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://source.android.com/security/bulletin/2017-01-01.html",
                  "refsource": "CONFIRM",
                  "url": "https://source.android.com/security/bulletin/2017-01-01.html"
                },
                {
                  "name": "93243",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/93243"
                },
                {
                  "name": "USN-3143-1",
                  "refsource": "UBUNTU",
                  "url": "http://www.ubuntu.com/usn/USN-3143-1"
                },
                {
                  "name": "GLSA-201701-28",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201701-28"
                },
                {
                  "name": "DSA-3682",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2016/dsa-3682"
                },
                {
                  "name": "https://c-ares.haxx.se/adv_20160929.html",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/adv_20160929.html"
                },
                {
                  "name": "https://c-ares.haxx.se/CVE-2016-5180.patch",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
                },
                {
                  "name": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html",
                  "refsource": "CONFIRM",
                  "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
                },
                {
                  "name": "RHSA-2017:0002",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "assignerShortName": "Chrome",
        "cveId": "CVE-2016-5180",
        "datePublished": "2016-10-03T15:00:00.000Z",
        "dateReserved": "2016-05-31T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:53:48.437Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-62408 (GCVE-0-2025-62408)

    Vulnerability from cvelistv5 – Published: 2025-12-08 22:04 – Updated: 2025-12-09 16:05
    VLAI
    Title
    c-ares has a Use After Free vulnerability when connection is cleaned up after error
    Summary
    c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: > 1.32.3, < 1.34.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-09T14:20:03.531539Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-09T16:05:06.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e 1.32.3, \u003c 1.34.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5  terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T22:04:08.565Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618"
            }
          ],
          "source": {
            "advisory": "GHSA-jq53-42q6-pqr5",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares has a Use After Free vulnerability when connection is cleaned up after error"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62408",
        "datePublished": "2025-12-08T22:04:08.565Z",
        "dateReserved": "2025-10-13T16:26:12.178Z",
        "dateUpdated": "2025-12-09T16:05:06.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31498 (GCVE-0-2025-31498)

    Vulnerability from cvelistv5 – Published: 2025-04-08 13:53 – Updated: 2025-04-08 18:40
    VLAI
    Title
    c-ares has a use-after-free in read_answers()
    Summary
    c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: >= 1.32.3, < 1.34.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-08T15:03:00.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/04/08/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T18:40:21.274882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T18:40:36.081Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.32.3, \u003c 1.34.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T13:53:11.232Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"
            },
            {
              "name": "https://github.com/c-ares/c-ares/pull/821",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/pull/821"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1"
            }
          ],
          "source": {
            "advisory": "GHSA-6hxc-62jh-p29v",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares has a use-after-free in read_answers()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31498",
        "datePublished": "2025-04-08T13:53:11.232Z",
        "dateReserved": "2025-03-28T13:36:51.300Z",
        "dateUpdated": "2025-04-08T18:40:36.081Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25629 (GCVE-0-2024-25629)

    Vulnerability from cvelistv5 – Published: 2024-02-23 14:52 – Updated: 2025-02-13 17:40
    VLAI
    Title
    c-ares out of bounds read in ares__read_line()
    Summary
    c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.27.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25629",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T19:18:11.897134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:35:14.331Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:44:09.807Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
              },
              {
                "name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-127",
                  "description": "CWE-127: Buffer Under-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-19T23:06:15.852Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"
            },
            {
              "name": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"
            }
          ],
          "source": {
            "advisory": "GHSA-mg26-v6qh-x48q",
            "discovery": "UNKNOWN"
          },
          "title": "c-ares out of bounds read in ares__read_line()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25629",
        "datePublished": "2024-02-23T14:52:24.967Z",
        "dateReserved": "2024-02-08T22:26:33.512Z",
        "dateUpdated": "2025-02-13T17:40:51.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-22217 (GCVE-0-2020-22217)

    Vulnerability from cvelistv5 – Published: 2023-08-22 00:00 – Updated: 2024-10-03 19:59
    VLAI
    Summary
    Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:51:10.438Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/issues/333"
              },
              {
                "name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-22217",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T19:59:20.865542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T19:59:30.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T08:06:18.645Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/c-ares/c-ares/issues/333"
            },
            {
              "name": "[debian-lts-announce] 20230915 [SECURITY] [DLA 3567-1] c-ares security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-22217",
        "datePublished": "2023-08-22T00:00:00.000Z",
        "dateReserved": "2020-08-13T00:00:00.000Z",
        "dateUpdated": "2024-10-03T19:59:30.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32067 (GCVE-0-2023-32067)

    Vulnerability from cvelistv5 – Published: 2023-05-25 22:49 – Updated: 2025-02-13 16:50
    VLAI
    Title
    0-byte UDP payload DoS in c-ares
    Summary
    c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    fedoraproject fedora Affected: 37
        cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
    Create a notification for this product.
    c-ares c-ares Affected: 0 , < 1.19.1 (custom)
        cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*
    Create a notification for this product.
    fedoraproject fedora Affected: 38
        cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 10.0
    Affected: 11.0
        cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
        cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fedora",
                "vendor": "fedoraproject",
                "versions": [
                  {
                    "status": "affected",
                    "version": "37"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "c-ares",
                "vendor": "c-ares",
                "versions": [
                  {
                    "lessThan": "1.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fedora",
                "vendor": "fedoraproject",
                "versions": [
                  {
                    "status": "affected",
                    "version": "38"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                  "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0"
                  },
                  {
                    "status": "affected",
                    "version": "11.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32067",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T18:37:41.012008Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T18:42:36.162Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5419"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T18:07:51.331Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5419"
            },
            {
              "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240605-0004/"
            }
          ],
          "source": {
            "advisory": "GHSA-9g78-jv2r-p7vc",
            "discovery": "UNKNOWN"
          },
          "title": "0-byte UDP payload DoS in c-ares"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32067",
        "datePublished": "2023-05-25T22:49:55.860Z",
        "dateReserved": "2023-05-01T16:47:35.314Z",
        "dateUpdated": "2025-02-13T16:50:20.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31147 (GCVE-0-2023-31147)

    Vulnerability from cvelistv5 – Published: 2023-05-25 21:55 – Updated: 2025-02-13 16:49
    VLAI
    Title
    Insufficient randomness in generation of DNS query IDs in c-ares
    Summary
    c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:25.630Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:25:39.252161Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:25:47.351Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-08T08:06:48.246Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            }
          ],
          "source": {
            "advisory": "GHSA-8r8p-23f3-64c2",
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient randomness in generation of DNS query IDs in c-ares"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31147",
        "datePublished": "2023-05-25T21:55:47.585Z",
        "dateReserved": "2023-04-24T21:44:10.418Z",
        "dateUpdated": "2025-02-13T16:49:46.904Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31130 (GCVE-0-2023-31130)

    Vulnerability from cvelistv5 – Published: 2023-05-25 21:45 – Updated: 2025-02-13 16:49
    VLAI
    Title
    Buffer Underwrite in ares_inet_net_pton()
    Summary
    c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-124 - Buffer Underwrite ('Buffer Underflow')
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:26.018Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2023/dsa-5419"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:35:37.326640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:35:44.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-124",
                  "description": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T16:08:34.510Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://www.debian.org/security/2023/dsa-5419"
            },
            {
              "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240605-0005/"
            }
          ],
          "source": {
            "advisory": "GHSA-x6mf-cxr9-8q6v",
            "discovery": "UNKNOWN"
          },
          "title": "Buffer Underwrite in ares_inet_net_pton()"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31130",
        "datePublished": "2023-05-25T21:45:42.645Z",
        "dateReserved": "2023-04-24T21:44:10.416Z",
        "dateUpdated": "2025-02-13T16:49:44.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-31124 (GCVE-0-2023-31124)

    Vulnerability from cvelistv5 – Published: 2023-05-25 21:09 – Updated: 2025-02-13 16:49
    VLAI
    Title
    AutoTools does not set CARES_RANDOM_FILE during cross compilation
    Summary
    c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    c-ares c-ares Affected: < 1.19.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:45:25.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
              },
              {
                "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-31124",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:36:12.341822Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:36:25.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "c-ares",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.  This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-08T08:06:46.531Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
            },
            {
              "name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202310-09"
            }
          ],
          "source": {
            "advisory": "GHSA-54xr-f67r-4pc4",
            "discovery": "UNKNOWN"
          },
          "title": "AutoTools does not set CARES_RANDOM_FILE during cross compilation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-31124",
        "datePublished": "2023-05-25T21:09:31.881Z",
        "dateReserved": "2023-04-24T21:44:10.415Z",
        "dateUpdated": "2025-02-13T16:49:43.787Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14354 (GCVE-0-2020-14354)

    Vulnerability from cvelistv5 – Published: 2021-05-13 13:38 – Updated: 2024-08-04 12:39
    VLAI
    Summary
    A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a c-ares Affected: c-ares 1.16.1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2020-43d5a372fc",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/changelog.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "c-ares",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "c-ares 1.16.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120-\u003eCWE-416",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-13T13:39:35.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2020-43d5a372fc",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://c-ares.haxx.se/changelog.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-14354",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "c-ares",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "c-ares 1.16.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-120-\u003eCWE-416"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2020-43d5a372fc",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866838"
                },
                {
                  "name": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt",
                  "refsource": "MISC",
                  "url": "https://packetstormsecurity.com/files/158755/GS20200804145053.txt"
                },
                {
                  "name": "https://c-ares.haxx.se/changelog.html",
                  "refsource": "MISC",
                  "url": "https://c-ares.haxx.se/changelog.html"
                },
                {
                  "name": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
                  "refsource": "MISC",
                  "url": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-14354",
        "datePublished": "2021-05-13T13:38:56.000Z",
        "dateReserved": "2020-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T12:39:36.541Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-1000381 (GCVE-0-2017-1000381)

    Vulnerability from cvelistv5 – Published: 2017-07-07 17:00 – Updated: 2024-08-05 22:00
    VLAI
    Summary
    The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://c-ares.haxx.se/0616.patch x_refsource_CONFIRM
    http://www.securityfocus.com/bid/99148 vdb-entryx_refsource_BID
    https://c-ares.haxx.se/adv_20170620.html x_refsource_CONFIRM
    Date Public
    2017-06-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:00:40.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/0616.patch"
              },
              {
                "name": "99148",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/99148"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/adv_20170620.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-06-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-07-10T09:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/0616.patch"
            },
            {
              "name": "99148",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/99148"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/adv_20170620.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-1000381",
              "REQUESTER": "daniel@haxx.se",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://c-ares.haxx.se/0616.patch",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/0616.patch"
                },
                {
                  "name": "99148",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/99148"
                },
                {
                  "name": "https://c-ares.haxx.se/adv_20170620.html",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/adv_20170620.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-1000381",
        "datePublished": "2017-07-07T17:00:00.000Z",
        "dateReserved": "2017-07-07T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:00:40.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5180 (GCVE-0-2016-5180)

    Vulnerability from cvelistv5 – Published: 2016-10-03 15:00 – Updated: 2024-08-06 00:53
    VLAI
    Summary
    Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-09-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:53:48.437Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://source.android.com/security/bulletin/2017-01-01.html"
              },
              {
                "name": "93243",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/93243"
              },
              {
                "name": "USN-3143-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "http://www.ubuntu.com/usn/USN-3143-1"
              },
              {
                "name": "GLSA-201701-28",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201701-28"
              },
              {
                "name": "DSA-3682",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2016/dsa-3682"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/adv_20160929.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
              },
              {
                "name": "RHSA-2017:0002",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-04T19:57:01.000Z",
            "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
            "shortName": "Chrome"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://source.android.com/security/bulletin/2017-01-01.html"
            },
            {
              "name": "93243",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/93243"
            },
            {
              "name": "USN-3143-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "http://www.ubuntu.com/usn/USN-3143-1"
            },
            {
              "name": "GLSA-201701-28",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201701-28"
            },
            {
              "name": "DSA-3682",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2016/dsa-3682"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/adv_20160929.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
            },
            {
              "name": "RHSA-2017:0002",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@google.com",
              "ID": "CVE-2016-5180",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://source.android.com/security/bulletin/2017-01-01.html",
                  "refsource": "CONFIRM",
                  "url": "https://source.android.com/security/bulletin/2017-01-01.html"
                },
                {
                  "name": "93243",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/93243"
                },
                {
                  "name": "USN-3143-1",
                  "refsource": "UBUNTU",
                  "url": "http://www.ubuntu.com/usn/USN-3143-1"
                },
                {
                  "name": "GLSA-201701-28",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201701-28"
                },
                {
                  "name": "DSA-3682",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2016/dsa-3682"
                },
                {
                  "name": "https://c-ares.haxx.se/adv_20160929.html",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/adv_20160929.html"
                },
                {
                  "name": "https://c-ares.haxx.se/CVE-2016-5180.patch",
                  "refsource": "CONFIRM",
                  "url": "https://c-ares.haxx.se/CVE-2016-5180.patch"
                },
                {
                  "name": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html",
                  "refsource": "CONFIRM",
                  "url": "https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html"
                },
                {
                  "name": "RHSA-2017:0002",
                  "refsource": "REDHAT",
                  "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "assignerShortName": "Chrome",
        "cveId": "CVE-2016-5180",
        "datePublished": "2016-10-03T15:00:00.000Z",
        "dateReserved": "2016-05-31T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:53:48.437Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }