CVE-2021-3672

Exploit

EPSS 0.11%
Veröffentlicht 23.11.2021 19:15:07
Zuletzt bearbeitet 21.11.2024 06:22:07
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

C-ares Project ≫ C-ares Version >= 1.0.0 < 1.17.2

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Version7.7

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Computer Node Version1

Redhat ≫ Enterprise Linux Eus Version7.7

Redhat ≫ Enterprise Linux Eus Version8.1

Redhat ≫ Enterprise Linux Eus Version8.2

Redhat ≫ Enterprise Linux Eus Version8.4

Redhat ≫ Enterprise Linux For Ibm Z Systems Version8.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.1

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.2

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.4

Redhat ≫ Enterprise Linux For Power Little Endian Version8.0

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.1

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.2

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.4

Redhat ≫ Enterprise Linux Server Aus Version8.2

Redhat ≫ Enterprise Linux Server Aus Version8.4

Redhat ≫ Enterprise Linux Server Tus Version8.2

Redhat ≫ Enterprise Linux Server Tus Version8.4

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.1

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.4

Redhat ≫ Enterprise Linux Tus Version8.4

Redhat ≫ Enterprise Linux Workstation Version1

Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 <= 12.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 12.13.0 < 12.22.5

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 <= 14.14.0

Nodejs ≫ Node.Js SwEditionlts Version >= 14.15.0 < 14.17.5

Nodejs ≫ Node.Js SwEdition- Version >= 16.0.0 < 16.6.2

Pgbouncer ≫ Pgbouncer Version <= 1.17.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.305

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.6	2.2	3.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202401-02

https://bugzilla.redhat.com/show_bug.cgi?id=1988342

Third Party Advisory

Issue Tracking

https://c-ares.haxx.se/adv_20210810.html

Patch

Vendor Advisory