CVE-2021-3672

Exploit

EPSS 0.11%
Published 23.11.2021 19:15:07
Last modified 21.11.2024 06:22:07
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

C-ares Project ≫ C-ares Version >= 1.0.0 < 1.17.2

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Version7.7

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Computer Node Version1

Redhat ≫ Enterprise Linux Eus Version7.7

Redhat ≫ Enterprise Linux Eus Version8.1

Redhat ≫ Enterprise Linux Eus Version8.2

Redhat ≫ Enterprise Linux Eus Version8.4

Redhat ≫ Enterprise Linux For Ibm Z Systems Version8.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.1

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.2

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.4

Redhat ≫ Enterprise Linux For Power Little Endian Version8.0

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.1

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.2

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.4

Redhat ≫ Enterprise Linux Server Aus Version8.2

Redhat ≫ Enterprise Linux Server Aus Version8.4

Redhat ≫ Enterprise Linux Server Tus Version8.2

Redhat ≫ Enterprise Linux Server Tus Version8.4

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.1

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.4

Redhat ≫ Enterprise Linux Tus Version8.4

Redhat ≫ Enterprise Linux Workstation Version1

Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 <= 12.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 12.13.0 < 12.22.5

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 <= 14.14.0

Nodejs ≫ Node.Js SwEditionlts Version >= 14.15.0 < 14.17.5

Nodejs ≫ Node.Js SwEdition- Version >= 16.0.0 < 16.6.2

Pgbouncer ≫ Pgbouncer Version <= 1.17.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.305

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.6	2.2	3.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202401-02

https://bugzilla.redhat.com/show_bug.cgi?id=1988342

Third Party Advisory

Issue Tracking

https://c-ares.haxx.se/adv_20210810.html

Patch

Vendor Advisory