Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-31130
HistoryMay 25, 2023 - 9:45 p.m.

CVE-2023-31130 Buffer Underwrite in ares_inet_net_pton()

2023-05-2521:45:42
CWE-124
GitHub_M
www.cve.org
c-ares library
asynchronous resolver
buffer underflow
ipv6 addresses
configuration
administrator
vulnerable
severe issues
fix

4.1 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular “0::00:00:00/2” was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

CNA Affected

[
  {
    "vendor": "c-ares",
    "product": "c-ares",
    "versions": [
      {
        "version": "< 1.19.1",
        "status": "affected"
      }
    ]
  }
]

4.1 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%