1. Home
  2. Vulnerabilities
  3. CVE-2023-31147

CVE-2023-31147

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.12 % (46th)
0.12% Progress
Affected Products 2
Advisories 26
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Weaknesses
CWE-330
Use of Insufficiently Random Values
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2023-05-25 22:15:09
(16 months ago)
Updated Date
2023-10-31 16:06:05
(10 months ago)

Affected Products

C-ares Project

Fedoraproject

Configuration #1

    CPE23 From Up To
  C-ares Project C-ares prior 1.19.1 version cpe:2.3:a:c-ares_project:c-ares < 1.19.1

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 37 cpe:2.3:o:fedoraproject:fedora:37
  Fedoraproject Fedora 38 cpe:2.3:o:fedoraproject:fedora:38