Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-31147

Опубликовано: 25 мая 2023
Источник: nvd
CVSS3: 5.9
CVSS3: 6.5
EPSS Низкий

Описание

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*
Версия до 1.19.1 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

EPSS

Процентиль: 26%
0.00087
Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-330
CWE-330

Связанные уязвимости

ubuntu логотип

CVE-2023-31147

CVSS3: 5.9
ubuntu
около 2 лет назад

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

redhat логотип

CVE-2023-31147

CVSS3: 5.9
redhat
около 2 лет назад

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

msrc логотип

CVE-2023-31147

CVSS3: 6.5
msrc
около 2 лет назад

Описание отсутствует

debian логотип

CVE-2023-31147

CVSS3: 5.9
debian
около 2 лет назад

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...

suse-cvrf логотип

SUSE-SU-2023:2477-1

suse-cvrf
около 2 лет назад

Security update for libcares2

EPSS

Процентиль: 26%
0.00087
Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-330
CWE-330