CVE-2023-31130
low-risk
Published 2023-05-25
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Do I need to act?
-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.1/10
Medium
LOCAL
/ HIGH complexity
Affected Products (5)
Affected Vendors
References (16)
Third Party Advisory
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
Third Party Advisory
https://security.gentoo.org/glsa/202310-09
Third Party Advisory
https://www.debian.org/security/2023/dsa-5419
Third Party Advisory
https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
Third Party Advisory
https://security.gentoo.org/glsa/202310-09
Third Party Advisory
https://www.debian.org/security/2023/dsa-5419
23
/ 100
low-risk
Severity
11/34 · Low
Exploitability
0/34 · Minimal
Exposure
12/34 · Low