CVE-2021-43523
CVSS V2 Medium 6.8
CVSS V3 Critical 9.6
Description
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.
Overview
- CVE ID
- CVE-2021-43523
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2021-11-10T15:15:12
- Last Modified Date
- 2021-11-15T14:19:43
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:uclibc:uclibc:*:*:*:*:*:*:*:* | 1 | OR | 0.9.33.2 | |
cpe:2.3:a:uclibc-ng_project:uclibc-ng:*:*:*:*:*:*:*:* | 1 | OR | 1.0.39 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:N/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 6.8
- Severity
- MEDIUM
- Exploitability Score
- 8.6
- Impact Score
- 6.4
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- REQUIRED
- Scope
- CHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.6
- Base Severity
- CRITICAL
- Exploitability Score
- 2.8
- Impact Score
- 6
References
Reference URL | Reference Tags |
---|---|
https://www.openwall.com/lists/oss-security/2021/11/09/1 | Exploit Mailing List Third Party Advisory |
https://uclibc-ng.org/ | Vendor Advisory |
https://github.com/wbx-github/uclibc-ng/commit/0f822af0445e5348ce7b7bd8ce1204244f31d174 | Patch Third Party Advisory |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-43523 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43523 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-05-10 06:47:23 | Added to TrackCVE | |||
2022-12-05 14:15:54 | 2021-11-10T15:15Z | 2021-11-10T15:15:12 | CVE Published Date | updated |
2022-12-05 14:15:54 | 2021-11-15T14:19:43 | CVE Modified Date | updated | |
2022-12-05 14:15:54 | Analyzed | Vulnerability Status | updated |