Vulnerabilities > CVE-2023-31130 - Out-of-bounds Write vulnerability in multiple products

CVSS 6.4 - MEDIUM

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

high complexity

NVD

Published: 2023-05-25

Updated: 2024-06-10

Summary

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Vulnerable Configurations

Part	Description	Count
Application	C-Ares_Project C Ares Project C Ares - C Ares Project C Ares 1.0.0 C Ares Project C Ares 1.1.0 C Ares Project C Ares 1.2.0 C Ares Project C Ares 1.2.1 C Ares Project C Ares 1.3.0 C Ares Project C Ares 1.3.1 C Ares Project C Ares 1.3.2 C Ares Project C Ares 1.4.0 C Ares Project C Ares 1.5.0 C Ares Project C Ares 1.5.1 C Ares Project C Ares 1.5.2 C Ares Project C Ares 1.5.3 C Ares Project C Ares 1.6.0 C Ares Project C Ares 1.7.0 C Ares Project C Ares 1.7.1 C Ares Project C Ares 1.7.2 C Ares Project C Ares 1.7.3 C Ares Project C Ares 1.7.4 C Ares Project C Ares 1.7.5 C Ares Project C Ares 1.8.0 C Ares Project C Ares 1.9.0 C Ares Project C Ares 1.9.1 C Ares Project C Ares 1.10.0 C Ares Project C Ares 1.11.0 C Ares Project C Ares 1.12.0 C Ares Project C Ares 1.13.0 C Ares Project C Ares 1.14.0 C Ares Project C Ares 1.15.0 C Ares Project C Ares 1.16.0 C Ares Project C Ares 1.16.1 C Ares Project C Ares 1.17.0 C Ares Project C Ares 1.17.1 C Ares Project C Ares 1.17.2 C Ares Project C Ares 1.18.0 C Ares Project C Ares 1.18.1 C Ares Project C Ares 1.19.0	38
OS	Fedoraproject Fedoraproject Fedora 37 Fedoraproject Fedora 38	2
OS	Debian Debian Debian Linux 10.0 Debian Debian Linux 11.0	2

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References