CVE-2021-3672

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

CVSS v3 5.6 MEDIUM
CVSS v2.0 6.8 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1988342	Issue Tracking Third Party Advisory
https://c-ares.haxx.se/adv_20210810.html	Exploit Patch Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch Third Party Advisory
https://security.gentoo.org/glsa/202401-02
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_computer_node:1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_tus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:1:::::::*

Configuration 4 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 6 (hide)

cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*

History

05 Jan 2024, 10:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202401-02 -

18 Oct 2022, 14:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pgbouncer:pgbouncer::::::::
First Time		Pgbouncer pgbouncer Pgbouncer

29 Aug 2022, 20:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nodejs:node.js:::::-:::* cpe:2.3:a:nodejs:node.js:::::lts:::*
First Time		Nodejs Nodejs node.js
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory

25 Jul 2022, 18:16

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

03 Jun 2022, 18:10

Type	Values Removed	Values Added
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
CPE		cpe:2.3:a:siemens:sinec_infrastructure_network_services::::::::
First Time		Siemens sinec Infrastructure Network Services Siemens

10 Mar 2022, 17:42

Type	Values Removed	Values Added
References		(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

14 Dec 2021, 18:29

Type	Values Removed	Values Added
CVSS	v2 : ~~7.5~~ v3 : ~~7.3~~	v2 : 6.8 v3 : 5.6

26 Nov 2021, 19:06

Type	Values Removed	Values Added
CPE		cpe:2.3:o:redhat:enterprise_linux_computer_node:1:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_tus:8.4:::::::* cpe:2.3:o:redhat:enterprise_linux_workstation:1:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::* cpe:2.3:o:redhat:enterprise_linux:7.7:::::::* cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::* cpe:2.3:a:c-ares_project:c-ares::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 7.3
References	~~(MISC) https://c-ares.haxx.se/adv_20210810.html -~~	(MISC) https://c-ares.haxx.se/adv_20210810.html - Exploit, Patch, Vendor Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1988342 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1988342 - Issue Tracking, Third Party Advisory

23 Nov 2021, 19:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-11-23 19:15

Updated : 2024-01-05 10:15

NVD link : CVE-2021-3672

Mitre link : CVE-2021-3672

CVE.ORG link : CVE-2021-3672

JSON object : View

Products Affected

redhat

enterprise_linux_computer_node
enterprise_linux
enterprise_linux_server_aus
enterprise_linux_server_update_services_for_sap_solutions
enterprise_linux_for_ibm_z_systems
enterprise_linux_for_power_little_endian_eus
enterprise_linux_server_tus
enterprise_linux_workstation
enterprise_linux_for_ibm_z_systems_eus
enterprise_linux_tus
enterprise_linux_eus
enterprise_linux_for_power_little_endian

fedoraproject

fedora

c-ares_project

c-ares

nodejs

node.js

siemens

sinec_infrastructure_network_services

pgbouncer

pgbouncer

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.6 /10