CVE Vulnerabilities

CVE-2023-38470

Reachable Assertion

Published: Nov 02, 2023 | Modified: Nov 09, 2023
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.2 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Weakness

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Affected Software

Name Vendor Start Version End Version
Avahi Avahi * 0.9 (excluding)
Red Hat Enterprise Linux 8 RedHat avahi-0:0.7-21.el8_9.1 *
Red Hat Enterprise Linux 8 RedHat avahi-0:0.7-21.el8_9.1 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat avahi-0:0.7-20.el8_6.3 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat avahi-0:0.7-20.el8_8.4 *
Red Hat Enterprise Linux 9 RedHat avahi-0:0.8-20.el9 *
Red Hat Enterprise Linux 9 RedHat avahi-0:0.8-20.el9 *
Avahi Ubuntu bionic *
Avahi Ubuntu devel *
Avahi Ubuntu esm-infra/bionic *
Avahi Ubuntu esm-infra/xenial *
Avahi Ubuntu focal *
Avahi Ubuntu jammy *
Avahi Ubuntu kinetic *
Avahi Ubuntu lunar *
Avahi Ubuntu mantic *
Avahi Ubuntu trusty *
Avahi Ubuntu trusty/esm *
Avahi Ubuntu xenial *

Extended Description

While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.

Potential Mitigations

References