CVE-2023-31147

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

31 Oct 2023, 16:06

Type Values Removed Values Added
References (MISC) https://security.gentoo.org/glsa/202310-09 - (MISC) https://security.gentoo.org/glsa/202310-09 - Third Party Advisory

08 Oct 2023, 09:15

Type Values Removed Values Added
References
  • (MISC) https://security.gentoo.org/glsa/202310-09 -

02 Jun 2023, 17:44

Type Values Removed Values Added
CPE cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
CWE CWE-330
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time Fedoraproject fedora
C-ares Project c-ares
C-ares Project
Fedoraproject
References (MISC) https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2 - (MISC) https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2 - Third Party Advisory
References (MISC) https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 - (MISC) https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 - Release Notes
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/ - Mailing List, Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/ - Mailing List, Third Party Advisory

28 May 2023, 06:15

Type Values Removed Values Added
References
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/ -

Information

Published : 2023-05-25 22:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-31147

Mitre link : CVE-2023-31147

CVE.ORG link : CVE-2023-31147


JSON object : View

Products Affected

fedoraproject

  • fedora

c-ares_project

  • c-ares
CWE
CWE-330

Use of Insufficiently Random Values