CVE-2021-3672

Description

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

How to fix CVE-2021-3672

To remediate CVE-2021-3672, upgrade the affected package to a fixed version below.

• —upgrade to 1.17.2-r0 or later
• —upgrade to 12.22.5-r0 or later
• —upgrade to 12.12.1 or later
• —upgrade to 12.12.1 or later
• —upgrade to 1.17.1 or later
• —upgrade to 1.14.0-1+deb10u1 or later
• —upgrade to 1.12.0-1+deb9u2 or later
• —upgrade to 1.17.1-1+deb11u1 or later

Is CVE-2021-3672 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 1.17.2-r0
• from 0, < 12.22.5-r0
• >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
• >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
• from 0, < 1.17.1
• from 0, < 1.14.0-1+deb10u1
• from 0, < 1.12.0-1+deb9u2
• from 0, < 1.17.1-1+deb11u1

CVSS scores

References (8)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-3672
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3672
• WEBbugzilla.redhat.com/show_bug.cgi?id=1988342
• WEBc-ares.haxx.se/adv_20210810.html
• WEB