c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31130 - Medium Severity Vulnerability
Executes Nodejs via GRPC from Golang client.
Library home page: https://github.com/arijitAD/Golang_Node_Executor.git
Found in HEAD commit: 1c9178c5a1b42520307da1fa7f9b1899276178ed
Found in base branch: master
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Publish Date: 2023-05-25
URL: CVE-2023-31130
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
Release Date: 2023-04-25
Fix Resolution: cares-1_19_1
Step up your Open Source Security Game with Mend here