CVE-2024-25629 (Medium) detected in c-aresc-ares-1.16.0

[mend-bolt-for-github]

CVE-2024-25629 - Medium Severity Vulnerability

Vulnerable Library - c-aresc-ares-1.16.0

A C library for asynchronous DNS requests.

Library home page: https://c-ares.haxx.se/?wsslib=c-ares

Found in HEAD commit: 00fdb00d5bdbaea4fec4642989374d82cbdb1a3c

Found in base branch: master

Vulnerable Source Files (3)

/deps/cares/src/ares__read_line.c
/deps/cares/src/ares__read_line.c
/deps/cares/src/ares__read_line.c

Vulnerability Details

c-ares is a C library for asynchronous DNS requests. ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.27.0, the /etc/hosts file. If any of these configuration files has an embedded NULL character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

Publish Date: 2024-02-23

URL: CVE-2024-25629

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mg26-v6qh-x48q

Release Date: 2024-02-09

Fix Resolution: cares-1_27_0

---

Step up your Open Source Security Game with Mend here