CVE-2023-31130

Public on 2023-05-22
Modified on 2024-02-10
Description
ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist().

However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 c-ares Pending Fix
Amazon Linux 2 - Core c-ares 2024-01-03 ALAS2-2024-2399 Fixed
Amazon Linux 2023 c-ares 2023-06-05 ALAS2023-2023-198 Fixed
Amazon Linux 2 - Ecs Extra ecs-service-connect-agent 2023-09-14 ALAS2ECS-2023-007 Fixed
Amazon Linux 2023 ecs-service-connect-agent 2023-09-14 ALAS2023-2023-344 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
NVD CVSSv3 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H