C Ares
CVE-2023-31130
MEDIUM
Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
AnalysisAI
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.4). No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-124. c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. Affected products include: C-Ares Project C-Ares, Fedoraproject Fedora, Debian Debian Linux.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to caus
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read me
c-ares is an asynchronous resolver library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial
c-ares is an asynchronous resolver library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts whe
c-ares is an asynchronous resolver library. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, n
Same weakness CWE-124 – Buffer Underwrite ('Buffer Underflow')
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today