Vulnerability Description
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| C-Ares | C-Ares | 1.8.0 |
| C-Ares Project | C-Ares | 1.11.0 |
| Nodejs | Node.Js | >= 4.0.0, <= 4.1.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/99148Third Party AdvisoryVDB Entry
- https://c-ares.haxx.se/0616.patchMailing ListVendor Advisory
- https://c-ares.haxx.se/adv_20170620.htmlVendor Advisory
- http://www.securityfocus.com/bid/99148Third Party AdvisoryVDB Entry
- https://c-ares.haxx.se/0616.patchMailing ListVendor Advisory
- https://c-ares.haxx.se/adv_20170620.htmlVendor Advisory
FAQ
What is CVE-2017-1000381?
CVE-2017-1000381 is a vulnerability with a CVSS score of 7.5 (HIGH). The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was ...
How severe is CVE-2017-1000381?
CVE-2017-1000381 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000381?
Check the references section above for vendor advisories and patch information. Affected products include: C-Ares C-Ares, C-Ares Project C-Ares, Nodejs Node.Js.