CVE-2023-32067
Advisory lineage Upstream: 0 Downstream: 29
Modified
Published: 25 May 2023, 22:49
Last modified:13 Feb 2025, 16:50
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.34% LOW
0% probability -0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 May 2023, 22:49
Published
Vulnerability first disclosed
13 Feb 2025, 16:50
Last Modified
Vulnerability information updated
Description
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.34%• Percentile: 57%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- c-ares_project•c-ares
< 1.19.1
- c-ares•c-ares
< 1.19.1
- debian•debian_linux
10.0 | 11.0
- fedoraproject•fedora
37 | 38
References (8)
- https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc
- https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
- https://www.debian.org/security/2023/dsa-5419
- https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
- https://security.gentoo.org/glsa/202310-09
- https://security.netapp.com/advisory/ntap-20240605-0004/