CVE-2023-31130

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Buffer Underflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.1 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
4.1 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
c-ares_projectc-ares
𝑥
< 1.19.1
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
c-ares
bullseye (security)
1.17.1-1+deb11u3
fixed
bullseye
1.17.1-1+deb11u3
fixed
bookworm
1.18.1-3
fixed
trixie
1.34.4-1
fixed
sid
1.34.4-2.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
c-ares
mantic
not-affected
lunar
Fixed 1.18.1-2ubuntu0.1
released
kinetic
Fixed 1.18.1-1ubuntu0.22.10.2
released
jammy
Fixed 1.18.1-1ubuntu0.22.04.2
released
focal
Fixed 1.15.0-1ubuntu0.3
released
bionic
Fixed 1.14.0-1ubuntu0.2+esm1
released
xenial
Fixed 1.10.0-3ubuntu0.2+esm2
released
trusty
ignored
Common Weakness Enumeration
References
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09
https://security.netapp.com/advisory/ntap-20240605-0005/
https://www.debian.org/security/2023/dsa-5419
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09
https://security.netapp.com/advisory/ntap-20240605-0005/
https://www.debian.org/security/2023/dsa-5419