CVE-2023-31130

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Buffer Underflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.1 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
c-ares_projectc-ares
𝑥
< 1.19.1
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
c-ares
bookworm
1.18.1-3
fixed
bullseye
1.17.1-1+deb11u3
fixed
bullseye (security)
1.17.1-1+deb11u3
fixed
sid
1.34.4-2.1
fixed
trixie
1.34.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
c-ares
bionic
Fixed 1.14.0-1ubuntu0.2+esm1
released
focal
Fixed 1.15.0-1ubuntu0.3
released
jammy
Fixed 1.18.1-1ubuntu0.22.04.2
released
kinetic
Fixed 1.18.1-1ubuntu0.22.10.2
released
lunar
Fixed 1.18.1-2ubuntu0.1
released
mantic
not-affected
trusty
ignored
xenial
Fixed 1.10.0-3ubuntu0.2+esm2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
c-ares-devel
suse enterprise desktop 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP3
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP7
1.19.1-150000.3.23.1
fixed
libcares2
suse enterprise desktop 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP3
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP7
1.19.1-150000.3.23.1
fixed
nodejs16
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs16-devel
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs16-docs
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs18
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
nodejs18-devel
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
nodejs18-docs
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
npm16
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
npm18
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
c-ares
RHEL 8
0:1.13.0-9.el8_9.1
fixed
RHEL 8.6 AUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 E4S
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 EUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 TUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.8 AUS
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 E4S
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 EUS
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 TUS
0:1.13.0-6.el8_8.3
fixed
RHEL 9
0:1.19.1-1.el9
fixed
c-ares-devel
RHEL 8
0:1.13.0-9.el8_9.1
fixed
RHEL 8.6 AUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 E4S
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 EUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.6 TUS
0:1.13.0-6.el8_6.2
fixed
RHEL 8.8 AUS
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 E4S
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 EUS
0:1.13.0-6.el8_8.3
fixed
RHEL 8.8 TUS
0:1.13.0-6.el8_8.3
fixed
RHEL 9
0:1.19.1-1.el9
fixed
nodejs
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-docs
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-full-i18n
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-libs
RHEL 9
1:16.19.1-2.el9_2
fixed
npm
RHEL 9
1:8.19.3-1.16.19.1.2.el9_2
fixed
Common Weakness Enumeration
References
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09
https://security.netapp.com/advisory/ntap-20240605-0005/
https://www.debian.org/security/2023/dsa-5419
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09
https://security.netapp.com/advisory/ntap-20240605-0005/
https://www.debian.org/security/2023/dsa-5419