CVE-2021-3672 — Cross-site Scripting in Project C-ares
Severity
5.6MEDIUMNVD
EPSS
0.1%
top 82.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 23
Latest updateJul 5
Description
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4
Affected Packages9 packages
Also affects: Fedora 33, 34, Enterprise Linux 7.0, 7.7, 8.0, 8.1, 8.2, 8.4
Patches
🔴Vulnerability Details
5OSV▶
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pycares↗2022-07-05
GHSA▶
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pycares↗2022-07-05
GHSA▶
GHSA-hghm-3vc3-hppj: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of w↗2022-05-24
OSV▶
CVE-2021-3672: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of w↗2021-11-23
CVEList▶
CVE-2021-3672: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of w↗2021-11-23
📋Vendor Advisories
5Microsoft▶
A flaw was found in c-ares library where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Doma↗2021-11-09
Debian▶
CVE-2021-3672: c-ares - A flaw was found in c-ares library, where a missing input validation check of ho...↗2021