CVE-2023-31124

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-31124
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31124.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-31124
Aliases
  • GHSA-54xr-f67r-4pc4
Related
Published
2023-05-25T22:15:09Z
Modified
2024-07-31T01:38:45.496557Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARESRANDOMFILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

References

Affected packages

Debian:11 / c-ares

Package

Name
c-ares
Purl
pkg:deb/debian/c-ares?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.17.1-1
1.17.1-1+deb11u1
1.17.1-1+deb11u2
1.17.1-1+deb11u3
1.17.1-1.1
1.17.2-1
1.18.0-1
1.18.1-1~bpo10+1
1.18.1-1
1.18.1-2
1.18.1-3
1.19.0-1
1.19.1-1
1.19.1-2
1.19.1-3
1.20.0-1
1.20.0-2
1.20.0-3
1.20.1-1
1.21.0-1
1.22.0-1
1.22.1-1
1.23.0-1
1.24.0-1
1.25.0-1
1.26.0-1
1.26.0-1.1~exp1
1.27.0-1
1.27.0-1.1~exp1
1.27.0-1.1
1.27.0-1.2
1.28.1-1
1.29.0-1
1.30.0-1
1.31.0-1
1.32.2-1
1.32.2-2
1.32.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / c-ares

Package

Name
c-ares
Purl
pkg:deb/debian/c-ares?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.18.1-3
1.19.0-1
1.19.1-1
1.19.1-2
1.19.1-3
1.20.0-1
1.20.0-2
1.20.0-3
1.20.1-1
1.21.0-1
1.22.0-1
1.22.1-1
1.23.0-1
1.24.0-1
1.25.0-1
1.26.0-1
1.26.0-1.1~exp1
1.27.0-1
1.27.0-1.1~exp1
1.27.0-1.1
1.27.0-1.2
1.28.1-1
1.29.0-1
1.30.0-1
1.31.0-1
1.32.2-1
1.32.2-2
1.32.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / c-ares

Package

Name
c-ares
Purl
pkg:deb/debian/c-ares?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.1-2

Affected versions

1.*

1.18.1-3
1.19.0-1
1.19.1-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/c-ares/c-ares

Affected ranges

Type
GIT
Repo
https://github.com/c-ares/c-ares
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

c-ares-1_17_0
c-ares-1_2_0
cares-1_10_0
cares-1_11_0
cares-1_11_0-rc1
cares-1_12_0
cares-1_13_0
cares-1_14_0
cares-1_15_0
cares-1_16_0
cares-1_16_1
cares-1_17_1
cares-1_17_2
cares-1_18_0
cares-1_18_1
cares-1_19_0
cares-1_1_0
cares-1_2_1
cares-1_3_1
cares-1_3_2
cares-1_4_0
cares-1_5_0
cares-1_5_1
cares-1_5_2
cares-1_5_3
cares-1_6_0
cares-1_7_0
cares-1_7_1
cares-1_7_2
cares-1_7_3
cares-1_7_4
cares-1_7_5
cares-1_8_0
cares-1_9_0
cares-1_9_1
curl-7_10_8
curl-7_11_0
curl-7_11_1
curl-7_12_0
curl-7_12_1
curl-7_12_2
curl-7_13_0
curl-7_13_1
curl-7_13_2
curl-7_14_0
curl-7_14_1
curl-7_15_0
curl-7_15_1
curl-7_15_3
curl-7_15_4
curl-7_15_5
curl-7_15_6-prepipeline
curl-7_16_0
curl-7_16_1
curl-7_16_2
curl-7_16_3
curl-7_16_4
curl-7_17_0
curl-7_17_1
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_19_5
curl-7_19_6
curl-7_19_7
curl-7_20_0