7.5

CVE-2017-1000381

The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
C-aresC-ares Version1.8.0
C-aresC-ares Version1.9.0
C-aresC-ares Version1.9.1
C-aresC-ares Version1.10.0
C-aresC-ares Version1.12.0
C-ares ProjectC-ares Version1.11.0
C-ares ProjectC-ares Version1.11.0 Updaterc1
NodejsNode.Js SwEdition- Version >= 4.0.0 <= 4.1.2
NodejsNode.Js SwEditionlts Version >= 4.2.0 < 4.8.4
NodejsNode.Js SwEdition- Version >= 5.0.0 <= 5.12.0
NodejsNode.Js SwEdition- Version >= 6.0.0 <= 6.8.1
NodejsNode.Js SwEditionlts Version >= 6.9.0 < 6.11.1
NodejsNode.Js SwEdition- Version >= 7.0.0 < 7.10.1
NodejsNode.Js SwEdition- Version >= 8.0.0 < 8.1.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.66% 0.701
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://www.securityfocus.com/bid/99148
Third Party Advisory
VDB Entry
https://c-ares.haxx.se/0616.patch
Vendor Advisory
Mailing List