C Aresproject C Ares
By the Year
In 2023 there have been 1 vulnerability in C Aresproject C Ares with an average score of 8.6 out of ten. C Ares did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 8.60 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 4.45 |
| 2020 | 1 | 7.50 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new C Ares vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent C Aresproject C Ares Security Vulnerabilities
A flaw was found in the c-ares package
CVE-2022-4904
8.6 - High
- March 06, 2023
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
Improper Input Validation
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames
CVE-2021-3672
5.6 - Medium
- November 23, 2021
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
XSS
A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing
CVE-2020-14354
3.3 - Low
- May 13, 2021
A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
Double-free
A Node.js application
CVE-2020-8277
7.5 - High
- November 19, 2020
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Resource Exhaustion
The c-ares function `ares_parse_naptr_reply()`
CVE-2017-1000381
7.5 - High
- July 07, 2017
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
Information Disclosure
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0
CVE-2016-5180
9.8 - Critical
- October 03, 2016
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
Memory Corruption
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by C Aresproject? Click the Watch button to subscribe.
