CVE-2017-1000381

HIGH EPSS 87.0%
Published Jul 7, 20178y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Jul 7, 2017 8y ago
Last Modified Jun 17, 2026 2w ago

Description

The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
87.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 14

VendorProductVersionRange
c-aresc-ares1.8.0any
c-aresc-ares1.9.0any
c-aresc-ares1.9.1any
c-aresc-ares1.10.0any
c-aresc-ares1.12.0any
c-ares_projectc-ares1.11.0any
c-ares_projectc-ares1.11.0any
nodejsnode.js*≥4.0.0  –  ≤4.1.2
nodejsnode.js*≥4.2.0  –  <4.8.4
nodejsnode.js*≥5.0.0  –  ≤5.12.0
nodejsnode.js*≥6.0.0  –  ≤6.8.1
nodejsnode.js*≥6.9.0  –  <6.11.1
nodejsnode.js*≥7.0.0  –  <7.10.1
nodejsnode.js*≥8.0.0  –  <8.1.4

References 3

  • securityfocus.com http://www.securityfocus.com/bid/99148
    Third Party AdvisoryVDB Entry
  • c-ares.haxx.se https://c-ares.haxx.se/0616.patch
    Mailing ListVendor Advisory
  • c-ares.haxx.se https://c-ares.haxx.se/adv_20170620.html
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.