You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31130 - Medium Severity Vulnerability
Vulnerable Library - c-aresc-ares-1.16.0
A C library for asynchronous DNS requests.
Library home page: https://c-ares.haxx.se/?wsslib=c-ares
Found in base branch: master
Vulnerable Source Files (3)
/deps/cares/src/inet_net_pton.c
/deps/cares/src/inet_net_pton.c
/deps/cares/src/inet_net_pton.c
Vulnerability Details
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Publish Date: 2023-05-25
URL: CVE-2023-31130
CVSS 3 Score Details (6.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-x6mf-cxr9-8q6v
Release Date: 2023-04-25
Fix Resolution: cares-1_19_1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: