CVE-2021-3672

moderate-risk

Published 2021-11-23

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.6/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

C-Ares

Fedora

Enterprise Linux

Enterprise Linux Computer Node

Enterprise Linux Eus

Enterprise Linux For Ibm Z Systems

Enterprise Linux For Ibm Z Systems Eus

Enterprise Linux For Power Little Endian

Enterprise Linux For Power Little Endian Eus

Enterprise Linux Server Aus

Affected Vendors

Redhat Siemens Fedoraproject Nodejs C-Ares Project Pgbouncer

References (10)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1988342

Exploit https://c-ares.haxx.se/adv_20210810.html

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

https://security.gentoo.org/glsa/202401-02

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1988342

Exploit https://c-ares.haxx.se/adv_20210810.html

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

https://security.gentoo.org/glsa/202401-02

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 23/34 · High