CVE-2023-31124
Advisory lineage Upstream: 0 Downstream: 17
Modified
Published: 25 May 2023, 21:09
Last modified:13 Feb 2025, 16:49
Vulnerability Summary
Overall Risk (default)
low
15/100 CVSS Score
3.7 LOW
v3.1 (cve.org)
EPSS Score
0.08% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 May 2023, 21:09
Published
Vulnerability first disclosed
13 Feb 2025, 16:49
Last Modified
Vulnerability information updated
Description
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVSS Metrics
- v3.1•LOW•Score: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Trends
Current EPSS score: 0.08%• Percentile: 24%
Techniques & Countermeasures
- CWE-330•Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Affected Systems
- c-ares_project•c-ares
< 1.19.1
- c-ares•c-ares
< 1.19.1
- fedoraproject•fedora
37 | 38
References (5)
- https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4
- https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
- https://security.gentoo.org/glsa/202310-09