c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
C-ares Project
  • C-ares
Debian
  • Debian Linux
Fedoraproject
  • Fedora
Redhat
  • Enterprise Linux
  • Rhel Eus
  • Rhel Software Collections

Configuration 1 [-]

cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
nodejs:16-8080020230608150024.63b34585 cpe:/a:redhat:enterprise_linux:8 RHSA-2023:4034 2023-07-12T00:00:00Z
nodejs:18-8080020230607122508.63b34585 cpe:/a:redhat:enterprise_linux:8 RHSA-2023:4035 2023-07-12T00:00:00Z
c-ares-0:1.13.0-9.el8_9.1 cpe:/o:redhat:enterprise_linux:8 RHSA-2023:7207 2023-11-14T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
nodejs:16-8060020230620060944.ad008a3a cpe:/a:redhat:rhel_eus:8.6 RHSA-2023:4033 2023-07-12T00:00:00Z
c-ares-0:1.13.0-6.el8_6.2 cpe:/o:redhat:rhel_eus:8.6 RHSA-2023:7392 2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
c-ares-0:1.13.0-6.el8_8.3 cpe:/o:redhat:rhel_eus:8.8 RHSA-2023:7543 2023-11-28T00:00:00Z
Red Hat Enterprise Linux 9
nodejs:18-9020020230531092345.rhel9 cpe:/a:redhat:enterprise_linux:9 RHSA-2023:3577 2023-06-14T00:00:00Z
nodejs-1:16.19.1-2.el9_2 cpe:/a:redhat:enterprise_linux:9 RHSA-2023:3586 2023-06-14T00:00:00Z
c-ares-0:1.19.1-1.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2023:6635 2023-11-07T00:00:00Z
c-ares-0:1.19.1-1.el9 cpe:/o:redhat:enterprise_linux:9 RHSA-2023:6635 2023-11-07T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
nodejs-1:16.18.1-4.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2023:4036 2023-07-12T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.21.3-4.el7 cpe:/a:redhat:rhel_software_collections:3::el7 RHSA-2023:4039 2023-07-12T00:00:00Z
References
Link Providers
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 cve-icon cve-icon
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-31130 cve-icon
https://security.gentoo.org/glsa/202310-09 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20240605-0005/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-31130 cve-icon
https://www.debian.org/security/2023/dsa-5419 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-25T21:45:42.645Z

Updated: 2024-08-02T14:45:26.018Z

Reserved: 2023-04-24T21:44:10.416Z

Link: CVE-2023-31130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-05-25T22:15:09.760

Modified: 2024-06-10T17:16:12.350

Link: CVE-2023-31130

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-05-22T00:00:00Z

Links: CVE-2023-31130 - Bugzilla