CVE-2023-31130

medium

Description

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

References

https://www.debian.org/security/2023/dsa-5419

https://security.gentoo.org/glsa/202310-09

https://lists.fedoraproject.org/archives/list/[email protected]/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/

https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html

https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v

https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1

Details

Source: Mitre, NVD

Published: 2023-05-25

Updated: 2023-10-31

Risk Information

CVSS v2

Base Score: 5.9

Vector: CVSS2#AV:L/AC:H/Au:M/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.4

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: Medium