{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-09-12T00:00:00", "descriptions": [{"lang": "en", "value": "The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-01T17:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/golang/go/issues/6336"}, {"name": "[oss-security] 20150128 Re: the other glibc issue", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/28/20"}, {"name": "openSUSE-SU-2015:0351", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html"}, {"name": "GLSA-201602-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201602-02"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=15946"}, {"name": "USN-2519-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2519-1"}, {"name": "RHSA-2015:0863", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0863.html"}, {"name": "72844", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72844"}, {"name": "RHSA-2016:1207", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2016:1207"}, {"name": "20210901 SEC Consult SA-20210901-0 :: Multiple vulnerabilities in MOXA devices", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Sep/0"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7423", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/golang/go/issues/6336", "refsource": "CONFIRM", "url": "https://github.com/golang/go/issues/6336"}, {"name": "[oss-security] 20150128 Re: the other glibc issue", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/28/20"}, {"name": "openSUSE-SU-2015:0351", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html"}, {"name": "GLSA-201602-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201602-02"}, {"name": "https://sourceware.org/bugzilla/show_bug.cgi?id=15946", "refsource": "CONFIRM", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=15946"}, {"name": "USN-2519-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2519-1"}, {"name": "RHSA-2015:0863", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0863.html"}, {"name": "72844", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72844"}, {"name": "RHSA-2016:1207", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1207"}, {"name": "20210901 SEC Consult SA-20210901-0 :: Multiple vulnerabilities in MOXA devices", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Sep/0"}, {"name": "http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:09:16.980Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/golang/go/issues/6336"}, {"name": "[oss-security] 20150128 Re: the other glibc issue", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/28/20"}, {"name": "openSUSE-SU-2015:0351", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html"}, {"name": "GLSA-201602-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201602-02"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=15946"}, {"name": "USN-2519-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2519-1"}, {"name": "RHSA-2015:0863", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0863.html"}, {"name": "72844", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72844"}, {"name": "RHSA-2016:1207", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2016:1207"}, {"name": "20210901 SEC Consult SA-20210901-0 :: Multiple vulnerabilities in MOXA devices", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2021/Sep/0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7423", "datePublished": "2015-02-24T15:00:00", "dateReserved": "2015-01-28T00:00:00", "dateUpdated": "2024-08-06T18:09:16.980Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*", "matchCriteriaId": "1F3BEFDB-5156-4E1C-80BB-8BE9FEAA7623", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*", "matchCriteriaId": "5D37DF0F-F863-45AC-853A-3E04F9FEC7CA", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "matchCriteriaId": "49A63F39-30BE-443F-AF10-6245587D3359", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "matchCriteriaId": "8768EA17-45CA-4B47-B9E6-D58D11C45B56", "versionEndExcluding": "2.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function."}, {"lang": "es", "value": "La funci\u00f3n send_dg en resolv/res_send.c en GNU C Library (tambi\u00e9n conocido como glibc o libc6) en versiones anteriores a 2.20 no reutiliza adecuadamente descriptores de fichero, lo que permite a atacantes remotos mandar consultas DNS a ubicaciones no intencionadas a trav\u00e9s de un gran n\u00famero de peticiones que desencadenan una llamada a la funci\u00f3n getaddrinfo."}], "id": "CVE-2013-7423", "lastModified": "2021-09-01T18:15:07.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-02-24T15:59:00.050", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-0863.html"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2021/Sep/0"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/28/20"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72844"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2519-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2016:1207"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/golang/go/issues/6336"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201602-02"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=15946"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:0863", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "glibc-0:2.12-1.149.el6_6.7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-04-21T00:00:00Z"}, {"advisory": "RHSA-2016:1207", "cpe": "cpe:/o:redhat:rhel_aus:6.5", "package": "glibc-0:2.12-1.132.el6_5.8", "product_name": "Red Hat Enterprise Linux 6.5 Advanced Update Support", "release_date": "2016-06-07T00:00:00Z"}, {"advisory": "RHSA-2015:2199", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "glibc-0:2.17-105.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}, {"advisory": "RHSA-2015:2589", "cpe": "cpe:/o:redhat:rhel_eus:7.1", "package": "glibc-0:2.17-79.el7_1", "product_name": "Red Hat Enterprise Linux 7.1 Extended Update Support", "release_date": "2015-12-09T00:00:00Z"}], "bugzilla": {"description": "glibc: getaddrinfo() writes DNS queries to random file descriptors under high load", "id": "1187109", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1187109"}, "csaw": false, "cvss": {"cvss_base_score": "1.2", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-362->CWE-201", "details": ["The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.", "It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data."], "name": "CVE-2013-7423", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2013-09-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-7423\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-7423"], "statement": "This issue did not affect the versions of glibc as shipped with Red Hat Enterprise Linux 5 as they did not include the vulnerable code, which was introduced in later versions.", "threat_severity": "Moderate"}