A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
References
| Link | Resource |
|---|---|
| https://c-ares.haxx.se/adv_20210810.html | Exploit Patch Vendor Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1988342 | Issue Tracking Third Party Advisory |
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
Advertisement
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Information
Published : 2021-11-23 11:15
Updated : 2022-10-18 07:57
NVD link : CVE-2021-3672
Mitre link : CVE-2021-3672
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Advertisement
Products Affected
redhat
- enterprise_linux_for_power_little_endian
- enterprise_linux
- enterprise_linux_server_aus
- enterprise_linux_workstation
- enterprise_linux_for_ibm_z_systems
- enterprise_linux_server_tus
- enterprise_linux_for_ibm_z_systems_eus
- enterprise_linux_computer_node
- enterprise_linux_server_update_services_for_sap_solutions
- enterprise_linux_for_power_little_endian_eus
- enterprise_linux_tus
- enterprise_linux_eus
c-ares_project
- c-ares
nodejs
- node.js
pgbouncer
- pgbouncer
fedoraproject
- fedora
siemens
- sinec_infrastructure_network_services