{"id":"CVE-2023-31130","summary":"Buffer Underwrite in ares_inet_net_pton()","details":"c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.","aliases":["GHSA-x6mf-cxr9-8q6v"],"modified":"2026-04-02T08:57:24.159505Z","published":"2023-05-25T21:45:42.645Z","related":["ALSA-2023:3577","ALSA-2023:3586","ALSA-2023:4034","ALSA-2023:4035","ALSA-2023:6635","ALSA-2023:7207","CGA-cm5w-2jq9-rv9q","SUSE-SU-2023:2313-1","SUSE-SU-2023:2477-1","SUSE-SU-2023:2655-1","SUSE-SU-2023:2662-1","SUSE-SU-2023:2663-1","SUSE-SU-2023:2669-1","SUSE-SU-2023:2861-1","openSUSE-SU-2024:12951-1"],"database_specific":{"cwe_ids":["CWE-124"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/31xxx/CVE-2023-31130.json"},"references":[{"type":"WEB","url":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/31xxx/CVE-2023-31130.json"},{"type":"ADVISORY","url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31130"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-09"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240605-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5419"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/c-ares/c-ares","events":[{"introduced":"0"},{"fixed":"6360e96b5cf8e5980c887ce58ef727e53d77243a"}]}],"versions":["c-ares-1_17_0","c-ares-1_2_0","cares-1_10_0","cares-1_11_0","cares-1_11_0-rc1","cares-1_12_0","cares-1_13_0","cares-1_14_0","cares-1_15_0","cares-1_16_0","cares-1_16_1","cares-1_17_1","cares-1_17_2","cares-1_18_0","cares-1_18_1","cares-1_19_0","cares-1_1_0","cares-1_2_1","cares-1_3_1","cares-1_3_2","cares-1_4_0","cares-1_5_0","cares-1_5_1","cares-1_5_2","cares-1_5_3","cares-1_6_0","cares-1_7_0","cares-1_7_1","cares-1_7_2","cares-1_7_3","cares-1_7_4","cares-1_7_5","cares-1_8_0","cares-1_9_0","cares-1_9_1","curl-7_10_8","curl-7_11_0","curl-7_11_1","curl-7_12_0","curl-7_12_1","curl-7_12_2","curl-7_13_0","curl-7_13_1","curl-7_13_2","curl-7_14_0","curl-7_14_1","curl-7_15_0","curl-7_15_1","curl-7_15_3","curl-7_15_4","curl-7_15_5","curl-7_15_6-prepipeline","curl-7_16_0","curl-7_16_1","curl-7_16_2","curl-7_16_3","curl-7_16_4","curl-7_17_0","curl-7_17_1","curl-7_18_0","curl-7_18_1","curl-7_18_2","curl-7_19_0","curl-7_19_2","curl-7_19_3","curl-7_19_4","curl-7_19_5","curl-7_19_6","curl-7_19_7","curl-7_20_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31130.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"}]}