Vulnerability CVE-2021-3672: Information

Description

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Severity: MEDIUM (5.6) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3672

Published: Nov. 23, 2021

Modified: Jan. 5, 2024

Error type identifier: CWE-79

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
c-ares	sisyphus	1.17.2-alt1	1.28.1-alt1	ALT-PU-2021-2494-1	282478	Fixed
c-ares	sisyphus_riscv64	1.18.1-alt1	1.28.1-alt1	ALT-PU-2021-4410-1	-	Fixed
c-ares	p10	1.17.2-alt1	1.26.0-alt1	ALT-PU-2021-2508-1	282480	Fixed
c-ares	p9	1.17.2-alt1	1.17.2-alt1	ALT-PU-2021-2577-1	282608	Fixed
c-ares	c10f1	1.17.2-alt1	1.19.1-alt1	ALT-PU-2021-2508-1	282480	Fixed
c-ares	c9f2	1.18.1-alt1	1.18.1-alt1	ALT-PU-2022-3071-2	303505	Fixed
node	sisyphus	14.17.5-alt1	20.12.2-alt1	ALT-PU-2021-2497-1	282449	Fixed
node	p10	14.17.5-alt1	16.19.1-alt1	ALT-PU-2021-2550-1	282492	Fixed
node	c10f1	14.17.5-alt1	16.19.1-alt1	ALT-PU-2021-2550-1	282492	Fixed
node	c9f2	16.17.1-alt0.c9.1	16.19.1-alt0.c9.1	ALT-PU-2022-3073-1	303505	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://c-ares.haxx.se/adv_20210810.html	Exploit Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1988342	Issue Tracking Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch Third Party Advisory
N/A	Third Party Advisory
GLSA-202401-02

Affected configurations:
1. Configuration 1
  cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*
  Start including
  1.0.0
  End excliding
  1.17.2
  
  Configuration 2
  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_tus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_computer_node:1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:1:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
  End excliding
  1.0.1.1
  
  Configuration 5
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  16.0.0
  End excliding
  16.6.2
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  14.0.0
  End including
  14.14.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Start including
  12.13.0
  End excliding
  12.22.5
  cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Start including
  12.0.0
  End including
  12.12.0
  cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Start including
  14.15.0
  End excliding
  14.17.5
  
  Configuration 6
  cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*
  End including
  1.17.0

Version: v24.4.2

Vulnerability CVE-2021-3672: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6