CVE-2021-3672: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong…

medium5.6CVSS 3.1

AVNACHPRNUINSUCLILAL

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Affected

50 ranges· showing 25

Vendor	Product	Version range	Fixed in
c-ares	c-ares	>= 0 < 1.17.1-1+deb11u1	1.17.1-1+deb11u1
c-ares	c-ares	>= 0 < 1.17.1-1.1	1.17.1-1.1
c-ares	c-ares	>= 0 < 1.17.1-1.1	1.17.1-1.1
c-ares	c-ares	>= 0 < 1.17.1-1.1	1.17.1-1.1
c-ares_project	c-ares	—	—
c-ares_project	c-ares	>= 1.0.0 < 1.17.2	1.17.2
debian	c-ares	< c-ares 1.17.1-1.1 (bookworm)	c-ares 1.17.1-1.1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_ceph_18.2.2-1_on_azure_linux_3.0	—	—
msrc	azl3_ceph_18.2.2-8_on_azure_linux_3.0	—	—
msrc	azl3_rubygem-mini_portile2_2.8.4-1_on_azure_linux_3.0	—	—
msrc	azl3_tensorflow_2.16.1-9_on_azure_linux_3.0	—	—
msrc	cbl2_ceph_16.2.10-7_on_cbl_mariner_2.0	—	—
msrc	cbl2_pgbouncer_1.16.1-1_on_cbl_mariner_2.0	—	—
msrc	cm1_c-ares_1.18.1-1_on_cbl_mariner_1.0	—	—
msrc	cm1_pgbouncer_1.16.1-1_on_cbl_mariner_1.0	—	—
nodejs	node.js	12.0.0 – 12.12.0	—
nodejs	node.js	>= 12.13.0 < 12.22.5	12.22.5
nodejs	node.js	14.0.0 – 14.14.0	—
nodejs	node.js	>= 14.15.0 < 14.17.5	14.17.5
nodejs	node.js	>= 16.0.0 < 16.6.2	16.6.2
paloalto	pan-os	—	—
pgbouncer	pgbouncer	<= 1.17.0	—
redhat	enterprise_linux	—	—

CVSS provenance

nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

ghsa5.6MEDIUM

osv5.6MEDIUM