CVE-2023-31147
CVSS v3.1
6.5 (Medium)
EPSS
0.12 % (46th)
Affected Products
2
Advisories
26
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
Weaknesses
- CWE-330
- Use of Insufficiently Random Values
- CVE Status
- PUBLISHED
- CNA
- GitHub, Inc.
- Published Date
-
2023-05-25 22:15:09
(16 months ago) - Updated Date
-
2023-10-31 16:06:05
(10 months ago)
Affected Products
Loading...
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...