CVE-2023-31124

low

Description

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

References

https://security.gentoo.org/glsa/202310-09

https://lists.fedoraproject.org/archives/list/[email protected]/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/

https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4

https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1

Details

Source: Mitre, NVD

Published: 2023-05-25

Updated: 2023-10-31

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Low