{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-06-20T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T09:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://c-ares.haxx.se/0616.patch"}, {"name": "99148", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99148"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://c-ares.haxx.se/adv_20170620.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-1000381", "REQUESTER": "daniel@haxx.se", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://c-ares.haxx.se/0616.patch", "refsource": "CONFIRM", "url": "https://c-ares.haxx.se/0616.patch"}, {"name": "99148", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99148"}, {"name": "https://c-ares.haxx.se/adv_20170620.html", "refsource": "CONFIRM", "url": "https://c-ares.haxx.se/adv_20170620.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:00:40.967Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://c-ares.haxx.se/0616.patch"}, {"name": "99148", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99148"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://c-ares.haxx.se/adv_20170620.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000381", "datePublished": "2017-07-07T17:00:00.000Z", "dateReserved": "2017-07-07T00:00:00.000Z", "dateUpdated": "2024-08-05T22:00:40.967Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:c-ares:c-ares:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7BDB0FC-AA36-4C41-B3DC-201F0DE0191A", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "5B38F8E2-7710-4303-A80F-9009619BEC7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares:c-ares:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA1637EF-3393-4770-91AE-89EA53D57830", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares:c-ares:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "93FA2559-0DB1-49BE-A6E6-C73408F4AB57", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares:c-ares:1.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "B92EADF5-3500-4F37-808E-41DC48DE8D68", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares_project:c-ares:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "B8F4F4BD-4316-4CB2-8FCE-9EE5C59E64EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:c-ares_project:c-ares:1.11.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "476034B6-69BF-4130-8139-D5DDC1EB0028", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "A47FC4F7-1F77-4314-B4B3-3C5D8E335379", "versionEndIncluding": "4.1.2", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "AC1070A7-E3E0-423C-A73A-040FCED8AD96", "versionEndExcluding": "4.8.4", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "121E5D5D-B4D9-43F3-B5C9-74590192FAF1", "versionEndIncluding": "5.12.0", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "D107EC29-67E7-40C3-8E5A-324C9105C5E4", "versionEndIncluding": "6.8.1", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "6EA3B1B4-3576-4508-AC77-4AE3A5622E09", "versionEndExcluding": "6.11.1", "versionStartIncluding": "6.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "B9C02D94-B713-4BE4-8C26-F21C2ADC01B0", "versionEndExcluding": "7.10.1", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "02C6E585-2704-4EC2-BED1-CF6D61BE9CC9", "versionEndExcluding": "8.1.4", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."}, {"lang": "es", "value": "La funci\u00f3n \"ares_parse_naptr_reply()\" de c-ares, que es usada para analizar las respuestas NAPTR, podr\u00eda ser activada para leer la memoria fuera del b\u00fafer de entrada dado si el pasado en el paquete de respuesta DNS fue creado de una manera particular."}], "id": "CVE-2017-1000381", "lastModified": "2026-05-13T00:24:29.033", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-07T17:29:00.307", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99148"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://c-ares.haxx.se/0616.patch"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://c-ares.haxx.se/adv_20170620.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99148"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://c-ares.haxx.se/0616.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://c-ares.haxx.se/adv_20170620.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Daniel Stenberg for reporting this issue. Upstream acknowledges LCatro as the original reporter.", "affected_release": [{"advisory": "RHSA-2017:2908", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nodejs6-nodejs-0:6.11.3-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2908", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-nodejs6-nodejs-0:6.11.3-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2908", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nodejs6-nodejs-0:6.11.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2017-10-18T00:00:00Z"}, {"advisory": "RHSA-2017:2908", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-nodejs6-nodejs-0:6.11.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2017-10-18T00:00:00Z"}], "bugzilla": {"description": "c-ares: NAPTR parser out of bounds access", "id": "1463132", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1463132"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "verified"}, "cwe": "CWE-125", "details": ["The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way."], "name": "CVE-2017-1000381", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack-optools:7", "fix_state": "Will not fix", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "nodejs010-nodejs", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Will not fix", "package_name": "nodejs", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "nodejs010-c-ares", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "nodejs010-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-nodejs4-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Affected", "package_name": "rh-nodejs6-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs8-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2017-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000381\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000381\nhttps://c-ares.haxx.se/adv_20170620.html"], "threat_severity": "Moderate"}

{}