1. Home
  2. Vulnerabilities
  3. CVE-2023-31124

CVE-2023-31124

CVSS v3.1 3.7 (Low)
37% Progress
EPSS 0.11 % (44th)
0.11% Progress
Affected Products 2
Advisories 28
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

Weaknesses
CWE-330
Use of Insufficiently Random Values
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2023-05-25 22:15:09
(16 months ago)
Updated Date
2023-10-31 16:05:56
(10 months ago)

Affected Products

C-ares Project

Fedoraproject

Configuration #1

    CPE23 From Up To
  C-ares Project C-ares prior 1.19.1 version cpe:2.3:a:c-ares_project:c-ares < 1.19.1

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 37 cpe:2.3:o:fedoraproject:fedora:37
  Fedoraproject Fedora 38 cpe:2.3:o:fedoraproject:fedora:38