cbcvebase.
CVE-2021-43523
published 2021-11-10

CVE-2021-43523: In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo…

PriorityP352critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
3.26%
86.8th percentile
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianuclibc
msrccbl2_uclibc-ng_1.0.37-2_on_cbl_mariner_2.0
msrccm1_uclibc-ng_1.0.37-2_on_cbl_mariner_1.0
uclibc-ng_projectuclibc-ng< 1.0.391.0.39
uclibcuclibc<= 0.9.33.2

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.6CRITICAL
vendor_debian9.6LOW
vendor_msrc9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.