{"api_version":"1","generated_at":"2026-04-23T01:14:52+00:00","cve":"CVE-2023-31147","urls":{"html":"https://cve.report/CVE-2023-31147","api":"https://cve.report/api/cve/CVE-2023-31147.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-31147","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-31147"},"summary":{"title":"CVE-2023-31147","description":"c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-05-25 22:15:00","updated_at":"2023-10-31 16:06:00"},"problem_types":["CWE-330"],"metrics":[],"references":[{"url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2","name":"https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2","refsource":"MISC","tags":[],"title":"Insufficient randomness in generation of DNS query IDs · Advisory · c-ares/c-ares · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: c-ares-1.19.1-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","name":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","refsource":"MISC","tags":[],"title":"Release 1.19.1 · c-ares/c-ares · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202310-09","name":"https://security.gentoo.org/glsa/202310-09","refsource":"MISC","tags":[],"title":"c-ares: Multiple Vulnerabilities (GLSA 202310-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: c-ares-1.19.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31147","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31147","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"31147","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"c-ares_project","cpe5":"c-ares","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31147","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31147","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-31147","qid":"160732","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2023-3586)"},{"cve":"CVE-2023-31147","qid":"160740","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-3577)"},{"cve":"CVE-2023-31147","qid":"160788","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-4034)"},{"cve":"CVE-2023-31147","qid":"160794","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-4035)"},{"cve":"CVE-2023-31147","qid":"161099","title":"Oracle Enterprise Linux Security Update for c-ares (ELSA-2023-6635)"},{"cve":"CVE-2023-31147","qid":"241702","title":"Red Hat Update for nodejs:18 (RHSA-2023:3577)"},{"cve":"CVE-2023-31147","qid":"241724","title":"Red Hat Update for nodejs (RHSA-2023:3586)"},{"cve":"CVE-2023-31147","qid":"241786","title":"Red Hat Update for rh-nodejs14-nodejs (RHSA-2023:4039)"},{"cve":"CVE-2023-31147","qid":"241787","title":"Red Hat Update for nodejs (RHSA-2023:4036)"},{"cve":"CVE-2023-31147","qid":"241788","title":"Red Hat Update for nodejs:18 (RHSA-2023:4035)"},{"cve":"CVE-2023-31147","qid":"241790","title":"Red Hat Update for nodejs:16 (RHSA-2023:4033)"},{"cve":"CVE-2023-31147","qid":"241792","title":"Red Hat Update for nodejs:16 (RHSA-2023:4034)"},{"cve":"CVE-2023-31147","qid":"242322","title":"Red Hat Update for c-ares security (RHSA-2023:6635)"},{"cve":"CVE-2023-31147","qid":"284001","title":"Fedora Security Update for c (FEDORA-2023-ae97529c00)"},{"cve":"CVE-2023-31147","qid":"284101","title":"Fedora Security Update for c (FEDORA-2023-520848815b)"},{"cve":"CVE-2023-31147","qid":"355414","title":"Amazon Linux Security Advisory for c-ares : ALAS2023-2023-198"},{"cve":"CVE-2023-31147","qid":"356117","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2023-2023-344"},{"cve":"CVE-2023-31147","qid":"356246","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALASECS-2023-007"},{"cve":"CVE-2023-31147","qid":"356504","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2ECS-2023-007"},{"cve":"CVE-2023-31147","qid":"673270","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2575)"},{"cve":"CVE-2023-31147","qid":"673319","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2605)"},{"cve":"CVE-2023-31147","qid":"673489","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2828)"},{"cve":"CVE-2023-31147","qid":"673513","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2833)"},{"cve":"CVE-2023-31147","qid":"673706","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-3115)"},{"cve":"CVE-2023-31147","qid":"673890","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2780)"},{"cve":"CVE-2023-31147","qid":"674117","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2804)"},{"cve":"CVE-2023-31147","qid":"710769","title":"Gentoo Linux c-ares Multiple Vulnerabilities (GLSA 202310-09)"},{"cve":"CVE-2023-31147","qid":"754046","title":"SUSE Enterprise Linux Security Update for c-ares (SUSE-SU-2023:2313-1)"},{"cve":"CVE-2023-31147","qid":"754083","title":"SUSE Enterprise Linux Security Update for libcares2 (SUSE-SU-2023:2477-1)"},{"cve":"CVE-2023-31147","qid":"754181","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2023:2861-1)"},{"cve":"CVE-2023-31147","qid":"906992","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for c-ares (26869-1)"},{"cve":"CVE-2023-31147","qid":"907007","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for c-ares (26847-1)"},{"cve":"CVE-2023-31147","qid":"907092","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (26874-1)"},{"cve":"CVE-2023-31147","qid":"907312","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (26875-1)"},{"cve":"CVE-2023-31147","qid":"907544","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for fluent-bit (26870-1)"},{"cve":"CVE-2023-31147","qid":"941145","title":"AlmaLinux Security Update for nodejs (ALSA-2023:3586)"},{"cve":"CVE-2023-31147","qid":"941153","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:3577)"},{"cve":"CVE-2023-31147","qid":"941168","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:4034)"},{"cve":"CVE-2023-31147","qid":"941169","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:4035)"},{"cve":"CVE-2023-31147","qid":"941381","title":"AlmaLinux Security Update for c-ares (ALSA-2023:6635)"},{"cve":"CVE-2023-31147","qid":"960945","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:3577)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-31147","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-330: Use of Insufficiently Random Values","cweId":"CWE-330"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"c-ares","product":{"product_data":[{"product_name":"c-ares","version":{"version_data":[{"version_affected":"=","version_value":"< 1.19.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2","refsource":"MISC","name":"https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"},{"url":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","refsource":"MISC","name":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"},{"url":"https://security.gentoo.org/glsa/202310-09","refsource":"MISC","name":"https://security.gentoo.org/glsa/202310-09"}]},"source":{"advisory":"GHSA-8r8p-23f3-64c2","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-05-25 22:15:00","lastModifiedDate":"2023-10-31 16:06:00","problem_types":["CWE-330"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}