CVE-2023-31124
Public on 2023-05-22
Modified on 2025-09-23
Description
When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | c-ares | No Fix Planned | ||
| Amazon Linux 2 - Core | c-ares | 2024-01-22 | ALAS2-2024-2429 | Fixed |
| Amazon Linux 2023 | c-ares | 2023-06-07 | ALAS2023-2023-198 | Fixed |
| Amazon Linux 2 - Ecs Extra | ecs-service-connect-agent | 2023-09-25 | ALAS2ECS-2023-007 | Fixed |
| Amazon Linux 2023 | ecs-service-connect-agent | 2023-09-20 | ALAS2023-2023-344 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |