CVE-2007-3152

c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://cool.haxx.se/cvs.cgi/curl/ares/CHANGES?rev=HEAD&content-type=text/vnd.viewcvs-markup
http://www.securityfocus.com/bid/24386	Patch
http://secunia.com/advisories/25579	Patch Vendor Advisory
http://osvdb.org/37171
https://exchange.xforce.ibmcloud.com/vulnerabilities/34979

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:daniel_stenberg:c-ares:1.0:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.3.2:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.1:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.2:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.2.1:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.3:::::::*
	cpe:2.3:a:daniel_stenberg:c-ares:1.3.1:::::::*

Information

Published : 2007-06-11 15:30

Updated : 2017-07-28 18:32

NVD link : CVE-2007-3152

Mitre link : CVE-2007-3152

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

daniel_stenberg

c-ares

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://cool.haxx.se/cvs.cgi/curl/ares/CHANGES?rev=HEAD&content-type=text/vnd.viewcvs-markup", "name": "http://cool.haxx.se/cvs.cgi/curl/ares/CHANGES?rev=HEAD&content-type=text/vnd.viewcvs-markup", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/24386", "name": "24386", "tags": ["Patch"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/25579", "name": "25579", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://osvdb.org/37171", "name": "37171", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34979", "name": "cares-transactionid-dns-spoofing(34979)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-3152", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2007-06-11T22:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.3.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:daniel_stenberg:c-ares:1.3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-07-29T01:32Z"}