High. 0-byte UDP payload causes Denial of Service. Fixed in 1.19.1. CVE-2023-32067
Moderate. Insufficient randomness in generation of DNS query IDs. Fixed in 1.19.1. CVE-2023-31147
Moderate. Buffer Underwrite in ares_inet_net_pton(). Fixed in 1.19.1. CVE-2023-31130
Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation. Fixed in 1.19.1. CVE-2023-31124
The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. Fixed in 1.19.0 CVE-2022-4904
Missing input validation on hostnames returned by DNS servers
NAPTR parser out of bounds access
ares_create_query single byte out of buffer write
The ares_init:randomize_key function uses the rand command to produce random numbers. A remote attacker could exploit this vulnerability to possibly spoof hostnames and addresses in the DNS cache. project advisory.
For unknown reasons, it seems CVE-2007-3152 is also often used to refer to this same issue.
This flaw was fixed in 1.4.0.