CVE-2023-31130

CVSS v3.1 6.4 (Medium)

EPSS 0.04 % (15^th)

Affected Products 3

Advisories 34

NVD Status Modified

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Weaknesses

CWE-124: Buffer Underwrite ('Buffer Underflow')
CWE-787: Out-of-bounds Write

CVE Status: PUBLISHED
NVD Status: Modified
CNA: GitHub, Inc.
Published Date: 2023-05-25 22:15:09
(16 months ago)
Updated Date: 2024-06-10 17:16:12
(3 months ago)

Affected Products

Configuration #1

		CPE23	From	Up To
	C-ares Project C-ares prior 1.19.1 version	cpe:2.3:a:c-ares_project:c-ares		< 1.19.1

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37
	Fedoraproject Fedora 38	cpe:2.3:o:fedoraproject:fedora:38

Configuration #3

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0

Weaknesses

Affected Products

C-ares Project

Debian

Fedoraproject

Configuration #1

Configuration #2

Configuration #3