Lucene search

K
redhatcveRedhat.comRH:CVE-2024-25629
HistoryFeb 23, 2024 - 7:31 p.m.

CVE-2024-25629

2024-02-2319:31:57
redhat.com
access.redhat.com
10
c-ares
vulnerability
parsing
configuration files
memory read
crash
mitigation
red hat
product security

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

4.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

A vulnerability was found in c-ares where the ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.22.0, the /etc/hosts file. If the configuration files have an embedded NULL character as the first character in a new line, it can attempt to read memory before the start of the given buffer, which may result in a crash.

Mitigation

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

4.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%