Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-31147

Good to know:

icon

Date: May 25, 2023

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Language: C

Severity Score

Related Resources (10)

https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://nvd.nist.gov/vuln/detail/CVE-2023-31147
https://security.gentoo.org/glsa/202310-09
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5
https://access.redhat.com/security/cve/CVE-2023-31147
https://seclists.org/oss-sec/2023/q2/188
https://www.mend.io/vulnerability-database/CVE-2023-31147

Severity Score

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Top Fix

icon

Upgrade Version

Upgrade to version cares-1_19_1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us