CVE-2021-3672

MEDIUM
Published Nov 23, 20214y ago · Modified Jun 17, 20262w ago
5.6 CVSS 3.1
Medium
Find Similar
Published Nov 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

CVSS Details

Base Score
5.6
Exploitability
2.2
Impact
3.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 35

VendorProductVersionRange
c-ares_projectc-ares*≥1.0.0  –  <1.17.2
fedoraprojectfedora33any
fedoraprojectfedora34any
redhatenterprise_linux7.0any
redhatenterprise_linux7.7any
redhatenterprise_linux8.0any
redhatenterprise_linux_computer_node1any
redhatenterprise_linux_eus7.7any
redhatenterprise_linux_eus8.1any
redhatenterprise_linux_eus8.2any
redhatenterprise_linux_eus8.4any
redhatenterprise_linux_for_ibm_z_systems8.0any
redhatenterprise_linux_for_ibm_z_systems_eus8.1any
redhatenterprise_linux_for_ibm_z_systems_eus8.2any
redhatenterprise_linux_for_ibm_z_systems_eus8.4any
redhatenterprise_linux_for_power_little_endian8.0any
redhatenterprise_linux_for_power_little_endian_eus8.1any
redhatenterprise_linux_for_power_little_endian_eus8.2any
redhatenterprise_linux_for_power_little_endian_eus8.4any
redhatenterprise_linux_server_aus8.2any
redhatenterprise_linux_server_aus8.4any
redhatenterprise_linux_server_tus8.2any
redhatenterprise_linux_server_tus8.4any
redhatenterprise_linux_server_update_services_for_sap_solutions8.1any
redhatenterprise_linux_server_update_services_for_sap_solutions8.2any
redhatenterprise_linux_server_update_services_for_sap_solutions8.4any
redhatenterprise_linux_tus8.4any
redhatenterprise_linux_workstation1any
siemenssinec_infrastructure_network_services* <1.0.1.1
nodejsnode.js*≥12.0.0  –  ≤12.12.0
nodejsnode.js*≥12.13.0  –  <12.22.5
nodejsnode.js*≥14.0.0  –  ≤14.14.0
nodejsnode.js*≥14.15.0  –  <14.17.5
nodejsnode.js*≥16.0.0  –  <16.6.2
pgbouncerpgbouncer* ≤1.17.0

References 5

  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1988342
    Issue TrackingThird Party Advisory
  • c-ares.haxx.se https://c-ares.haxx.se/adv_20210810.html
    ExploitPatchVendor Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
    PatchThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202401-02
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    Third Party Advisory

Remediation

  • c-ares.haxx.se https://c-ares.haxx.se/adv_20210810.html
    ExploitPatchVendor Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
    PatchThird Party Advisory