CVE Vulnerabilities

CVE-2023-31130

Buffer Underwrite ('Buffer Underflow')

Published: May 25, 2023 | Modified: Nov 21, 2024
CVSS 3.x
6.4
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.7 MODERATE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Ubuntu
MEDIUM

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Weakness

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

Affected Software

Name Vendor Start Version End Version
C-ares C-ares_project * 1.19.1 (excluding)
Red Hat Enterprise Linux 8 RedHat nodejs:16-8080020230608150024.63b34585 *
Red Hat Enterprise Linux 8 RedHat nodejs:18-8080020230607122508.63b34585 *
Red Hat Enterprise Linux 8 RedHat c-ares-0:1.13.0-9.el8_9.1 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat nodejs:16-8060020230620060944.ad008a3a *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat c-ares-0:1.13.0-6.el8_6.2 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat c-ares-0:1.13.0-6.el8_8.3 *
Red Hat Enterprise Linux 9 RedHat nodejs:18-9020020230531092345.rhel9 *
Red Hat Enterprise Linux 9 RedHat nodejs-1:16.19.1-2.el9_2 *
Red Hat Enterprise Linux 9 RedHat c-ares-0:1.19.1-1.el9 *
Red Hat Enterprise Linux 9 RedHat c-ares-0:1.19.1-1.el9 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat nodejs-1:16.18.1-4.el9_0 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-0:14.21.3-4.el7 *
C-ares Ubuntu bionic *
C-ares Ubuntu esm-infra/bionic *
C-ares Ubuntu esm-infra/xenial *
C-ares Ubuntu focal *
C-ares Ubuntu jammy *
C-ares Ubuntu kinetic *
C-ares Ubuntu lunar *
C-ares Ubuntu trusty *
C-ares Ubuntu upstream *
C-ares Ubuntu xenial *

Potential Mitigations

References