C-ares Security Vulnerabilities and Issues — C-ares CVE List

Lucene search

C-ares ProjectC-ares

9 matches found

CVE•added 2023/05/25 11:15 p.m.•608 views

CVE-2023-32067

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shu...

7.5CVSS7.6AI score0.00323EPSS

CVE•added 2023/05/25 10:15 p.m.•480 views

CVE-2023-31130

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to co...

6.4CVSS6.5AI score0.00011EPSS

CVE•added 2021/11/23 7:15 p.m.•460 views

CVE-2021-3672

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as we...

6.8CVSS5.9AI score0.00067EPSS

CVE•added 2023/05/25 10:15 p.m.•385 views

CVE-2023-31124

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lac...

3.7CVSS6AI score0.0007EPSS

CVE•added 2023/05/25 10:15 p.m.•384 views

CVE-2023-31147

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generat...

6.5CVSS6.9AI score0.00087EPSS

CVE•added 2020/11/19 1:15 a.m.•337 views

CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and

7.5CVSS7.3AI score0.62923EPSS

CVE•added 2023/03/06 11:15 p.m.•332 views

CVE-2022-4904

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

8.6CVSS8.5AI score0.00138EPSS

CVE•added 2016/10/03 3:59 p.m.•143 views

CVE-2016-5180

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

9.8CVSS9.8AI score0.22414EPSS

CVE•added 2017/07/07 5:29 p.m.•143 views

CVE-2017-1000381

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

7.5CVSS7.4AI score0.00733EPSS